In Case You Missed It: U.S. Major party platforms address cybersecurity. The two major parties have released their 2016 election platforms, both of which include cybersecurity planks. The Republican platform’s perspective of cybersecurity is an element of national security and international relations. The platform called for harsh responses to cyber-attacks against American businesses, institutions, and government, applauded the Cybersecurity Information Sharing Act of 2015, and pledged to “explore the possibility of a free market for Cyber-Insurance.” The Democratic platform is largely as a continuation of President Obama’s cybersecurity policies. It promises to “build on the Obama… More
Category Archives: Data Breach
HHS OCR Guidance on Ransomware Attacks: They Constitute a “Security Incident” and Are Likely a Data Breach
On July 11, 2016, the HHS Office of Civil Rights (OCR) released guidance on HIPAA covered entities’ responsibilities in a ransomware attack, a type of cyber-attack that has targeted the health care sector extensively in recent months. This guidance comes in the wake of a June 20, 2016 “Dear Colleague” letter from HHS Secretary Sylvia Burwell highlighting ransomware issues. The most notable of OCR’s statements is that ransomware attacks often constitute breaches subject to the HIPAA Breach Notification Rule.
Ransomware as Security Incident
OCR’s guidance states that the presence of ransomware on a covered entity’s or business… More
In Case You Missed It: Court certifies class in suit against Apple. On July 15, 2016, U.S. District Judge Jon S. Tigar certified a class of users of the mobile app Path, who allege that Apple facilitated the app’s access their contacts without their knowledge. In the same decision, Judge Tigar denied certification to a proposed class of consumers who downloaded the app, but never had their contacts uploaded. Apple and Path are just two defendants named in a consolidated suit relating to questions concerning whether Apple’s mobile operating system, iOS, unlawfully uploads and disseminates users’ personal information (e.g.,… More
This post originally appeared in Law360. Written by Allison Grande. Edited by Philip Shea and Brian Baresch
The rapid rise of the hit smartphone game “Pokemon Go” has opened the developer of the app up to heavy scrutiny from regulators and users, who may end up wielding a variety of privacy and consumer protection laws to address concerns over the type and quantity of data being collected.
Although it is barely a week old, the augmented-reality app has taken the smartphone world by storm, having been downloaded nearly 10 million times in the U.S., sending the stock of collaborator… More
In Case You Missed It: The EU/US Privacy Shield is set to go into effect this Tuesday, July 13, pending a decision today by the EU’s College of Commissioners. On Friday, July 8, the Privacy Shield agreement (entered into in February) was adopted by EU member states. EU/US data transfer has been in limbo ever since the erstwhile Safe Harbor was invalided by the European Court of Justice last year. Stay tuned in this space for much more on the ins-and-outs of what the Privacy Shield says, and what it means for business.
News of Note: In further evidence that… More
In Case You Missed It: Ruling in FTC v. Amazon Suggests a Way Forward for Companies Responding to Actions Brought by the FTC after a Data Breach. The FTC’s recent actions in the realm of data security have been predicated on its claim of statutory authority to seek injunctive relief for the failure to maintain reasonable and appropriate data security practices. A U.S. District Court ruling last week casts some doubt on that authority. Although the court concluded against Amazon on the facts at issue (involving in app purchases not data security), it also cast doubt on the FTC’s… More
Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”), a HIPAA business associate, has agreed to pay the Department of Health and Human Services Office of Civil Rights (“OCR”) $650,000 in connection with a data breach involving the nursing homes to which it provides management and IT services.
The underlying breach occurred in February 2014 (which suggests a significant backlog at OCR in resolving open matters). The breach itself was relatively insignificant compared to those we often see today involving millions of records: this was the theft of an unsecured iPhone with health information of 412 nursing home patients.
In Case You Missed It: Illinois strengthened its data privacy and security law, with the amendments going into effect in January 2017. The amendments include expanding the definition of “personal information” to include a username or email address of an Illinois resident in conjunction with a password or security question answer that would permit access to an online account. The definition is also expanded to include medical and health insurance information. However, if a company already complies with the data security elements of HIPAA and HITECH, then it will be deemed to comply with the Illinois law. Illinois’ amendments… More
In Case You Missed It: The SEC fined Morgan Stanley $1 million for a 2014 data breach. While the FTC had declined to pursue an enforcement action, blaming the breach on technical issues rather than any actions or omissions on the part of Morgan Stanley, the SEC reached a different conclusion. The SEC faulted Morgan Stanley for, among other things, failing to have adequate and up-to-date cybersecurity policies and for failing to correct gaps and flaws in its security systems. This fine is a reminder of two important things: first, that the SEC is going to be an increasingly active player… More
In Case You Missed It: US and EU officials signed on to the so-called “Privacy Umbrella” deal last week. The agreement is designed to protect the personal data of EU citizens when it is transferred to the US for law enforcement purposes — a sort of criminal counterpart to the sturdier-sounding Privacy Shield we discussed here last Thursday. And, like the Shield, the Umbrella has drawn its share of critics, who claim that it “effectively undoes” much of EU’s data protection.
News of Note: Zuckerberg Hacked. Demonstrating that no one is immune from a cybersecurity attack, Facebook founder… More
Hedge Fund Association Symposium in Boston
The Securities and Exchange Commission has reiterated that cybersecurity threats and the adoption of sufficient policies and procedures will remain a compliance and examination priority for 2016. Please join us for a discussion of the primary threats facing managers of private funds, particularly emerging managers, and practical steps that they should be taking to protect their business from cybersecurity threats.
This event is complimentary for HFA members and friends of Foley Hoag. Space is limited.
Unfortunately, health care providers are the perfect mark for theft and extortion because they have huge amounts of sensitive information and maintain such information in computer databases at risk of infiltration. On May 17, Foley Hoag presented a webinar discussing the ongoing crime sprees involving theft of patients’ identities and health information; ransomware involved in these crimes; related data security issues affecting health care providers; and how they implicate law enforcement and the criminal law aspects of HIPAA.
To download a copy of the presentation, click here.
Watch a recording of the webinar:
On May 11, 2016, President Obama signed the Defend Trade Secrets Act of 2016 (“DTSA”) into law. Previously, companies could only bring misappropriation of trade secrets claims under state law. (Unless they were able to convince federal prosecutors to bring criminal charges under the Economic Espionage Act, which rarely ever happens.) Now, companies have the option of pursuing a federal cause of action for misappropriation of trade secrets, which brings with it… More
How Can Companies Transfer Personal Data and Remain Compliant?
The French-American Chamber of Commerce, Foley Hoag LLP and The Consulate General of France in New York are pleased to invite you to a timely panel discussion and networking event.
Date: Wednesday, May 25 Time: 6:00 pm – 8:00 pm Location: Consulate General of France 934 Fifth Avenue New York, NY
Please use the complimentary promo code FACC to register here.
In October 2015, the European Court of Justice struck down the “safe… More
As litigators, we help clients resolve conflicts that have matured into disputes. In the realm of cybersecurity, we defend claims brought by private parties or governmental entities against companies facing the fallout from a data breach.
In advising clients in the context of litigation, we have identified tools that are available to mitigate or prevent the types of breaches that we see in litigation. In the area of cybersecurity, companies have begun to consider the… More
Hospitals are increasingly the target of hackers, particularly in the form of “ransomware.” What follows is a primer on ransomware and how to avoid being a target of it.
What is ransomware?
Ransomware is a type of malware that limits users’ access to their computer systems. It functions by locking a user’s system and/or encrypting its files. Once ransomware gains access to a single workstation, it can “travel across [a] network and encrypt any files located on… More
This article was originally published in Law360 with permission to reprint.
Businesses confronting data breaches can face litigation from private consumers as well as from governmental entities. Managing litigation risk varies in these contexts because of the limitations of bringing private rights of action. One such limitation is the requirement of proving actual harm in private actions…. More
February 3, 2016 Statement of the Article 29 Working Party on the Consequences of the Schrems Judgment
The Working Party will not blindly accept the EU-US Privacy Shield. It welcomes the conclusion of the negotiations, but also is asking to see all documents pertaining to the new EU-US Privacy Shield by the end of February. The Article 29 Working Party will then evaluate whether the arrangement meets what it considers to be the four essential guarantees relating to the processing of data by intelligence agencies:
the processing should… More
On December 18, 2015, President Obama signed the Cybersecurity Act of 2015 (The “Act”), legislation designed to combat online threats to the federal government, state and local governments, and private entities. Within the Act are four titles, the most significant of which is Title I, the Cybersecurity Information Sharing Act (“CISA”) (which begins at p. 694).
CISA addresses the manner in which the federal government and non-federal entities may share information about cyber threats and the defensive measures they may take to combat those threats.
CISA: An Optional Opportunity
CISA does not require non-federal entities (private entities and state,… More
On January 22, 2016, I had the pleasure to present to the Massachusetts Health Information Management Association’s Winter Meeting, to discuss “Compliance Beyond HIPAA.” The presentation slides from the program are available here, and reflect discussion of:
recent HHS OCR guidance on “Individuals’ Right under HIPAA to Access their Health Information 45 CFR §164.524” a new HHS OCR FAQ on EHR incentives and their interaction with HIPAA; amendment of the HIPAA Privacy Rule to address release of mental health information for firearm background checks; charges for copying of records (especially involving attorneys); a new HHS OIG… More
Today, Wyndham and the FTC settled the enforcement action brought by the FTC that had led to a significant decision by the Third Circuit in August of this year. (Wyndham’s statement on the settlement can be found here; the FTC’s statement can be found here; my earlier analysis of the Third Circuit’s decision can be found here.) While the details of the settlement are interesting in their own right – Wyndham will not be paying anything by way… More
The scaffolding of the FTC’s powers in the realm of cybersecurity continues to be built. On Monday, the FTC’s Chief Administrative Law Judge D. Michael Chappell issued an initial decision in the FTC’s closely watched enforcement action against LabMD. The case involves a 2008 incident in which a data security company (Tiversa Holding Co.) discovered a LabMD document containing personal information of 9,300 patients was available on a P2P file sharing network. … More
Cybersecurity and Risk Management: “Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers”
A timely new resource for business executives, technology professionals, and lawyers alike is the newly-published Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers from the New York Stock Exchange and Palo Alto Networks. At 355 pages, the guide provides information from dozens of contributors from around the country and from various backgrounds. The guide explores 46 separate topics, focusing on such issues as prevention, developing action plans, legal and regulatory challenges, the internet of things, and building readiness… More
Data breaches are crisis moments that businesses must prepare for in many ways: not just in taking steps at prevention, but also mitigating losses, arranging for business continuity, complying with legal and regulatory requirements, and communicating adequately with customers. Waiting to think about such issues when a data breach occurs can increase costs (including the costs associated with the time needed to restore normal business operations) and harm a company’s reputation.
This last point is important and can easily be overlooked. Smart preparation… More
The FTC’s Broad Authority and FTC v. Wyndham: Thinking about the Future of Data Privacy Regulations
What makes data privacy law interesting for academics, challenging for lawyers, and frustrating for businesses is its shape-shifting structure in the face of rapidly changing technology. The recent change in the invalidation of US-EU “safe harbor” system is a useful reminder of the differences between the way the European Union and the U.S. handle questions of data privacy: whereas, generally speaking, in the EU data privacy standards are relatively uniform, in the U.S. there are as many different sets of regulations as there… More
This month’s edition of the Advanced Cyber Security Center’s newletter includes my discussion of lessons to be learned from the Wyndham decision:
Historically, security was an issue reserved in a back room for the IT department, if there were even a budget and ample resources. To the public, cybersecurity meant identity theft and proceeded with business as usual with the comfort of an anti-virus protection that may have come with their computer.
On the other hand, large enterprises, especially those that… More
By Martha Coakley and Jon Hurst
This entry originally ran as an op-ed in the September 25, 2015 edition of The Boston Globe.
Hardly a week goes by without a news report of a new cyberattack. As any consumer affected by fraud knows, the harm is real. The impact on businesses, government, and other targets is also real, and includes monetary harm and reputational damage that can devastate those so reliant on the trust of their customers.
Retailers recognize that… More
Over one year ago, our colleague Chris Hart argued that the District of New Jersey court’s decision in FTC v. Wyndham Worldwide Corp. et. al., No. 13-1887-ES, “point[ed] to the possibility that the FTC has potentially broad power, and a far reach, to bring actions for data breaches as a general matter.” That possibility became substantially more concrete this week, when the Third Circuit affirmed Judge Esther Salas’ refusal to dismiss the Federal Trade Commission’s lawsuit against Wyndham that… More
Seventh Circuit Allows Data Breach Class Action to Proceed Against Neiman Marcus, Despite Lack of Current Harm to Credit Card Holders
Data breaches are often followed by class action suits in which the affected individuals seek damages. Corporations defending against such suits have used a 2013 Supreme Court case, Clapper v. Amnesty International, 133 S. Ct. 1138 (2013), to fight off such claims. In Clapper, the Supreme Court held that, in order for a plaintiff who alleges future harm to have the necessary Article III standing to sue in federal court, the plaintiff must meet a stringent bar for the suit to proceed:… More
A key distinguishing feature of U.S. data privacy laws is their patchwork nature. There are industry-specific data privacy laws at the federal level (think HIPAA or the GLBA), yet there are no comprehensive federal standards that governs an entity’s obligations in the event of a data breach like the EU’s Data Privacy Directive. For data breach response, in addition to the possible application of an industry-specific law or regulation, companies doing business in the U.S. must look to… More
The next MIT Enterprise Forum of Cambridge Innovation Series event, “Building a Proactive Cyber Defense Strategy, from Tools to Tactics,” will take place tomorrow, May 27, beginning at 5:30 p.m. at the Stata Center, 32 Vassar Street, Cambridge. There is a great line-up of speakers, including our own Christopher Hart.
Last week, the Cybersecurity Unit of the Department of Justice (DOJ) issued a list of “best practices” for companies concerning preparing for and responding to cyber-attacks. The report details the lessons federal prosecutors have learned while handling cyber investigations, as well as feedback from private sector companies. Some of the key pieces of advice are:
Identify Your “Crown Jewels”: Before creating a cyber-incident response plan, companies should first identify which data, services, and infrastructure warrants the most protection. Loss of some data or services might only result in a minor disruption, which loss of others could be devastating. A… More
am just back from presenting at the New York Stock Exchange’s program on Cyber Risks and the Boardroom, where I presented on The Role of Cyber Insurance. My presentation is here: 2015_04_21_The_Role_of_Cyber_Insurance_NYSE_Presentation. It was evident from this program that the C-suite is very concerned about cyber issues, but management and their boards often lack the expertise to deal with them effectively. With specific regard to cyber insurance, the product market is new and rapidly evolving.
Update on President Obama’s “Summit on Cybersecurity and Consumer Protection,” Part III: Five Key Lessons for Business
Concluding our three-part analysis of the White House’s first Summit on Cybersecurity and Consumer Protection, we turn to some practical advice coming out of the Summit’s afternoon session, including an address by Maria Contreras-Sweet, the administrator of the Small Business Administration (“SBA”), and a panel discussion among financial sector leaders moderated by Deputy Treasury Secretary Sarah Bloom Raskin.
Here are five takeaways for companies large and small:
Companies are only as secure as their most vulnerable employee. In the course of the panel discussion, Mike George, CEO of QVC, elaborated on how training and constant vigilance were at the… More
The first ever Summit on Cybersecurity and Consumer Protection was convened today at Stanford University, keynoted by President Obama. The purpose of the summit: to “bring together major stakeholders on consumer financial protection issues to discuss how all members of our financial system can work together to further protect American consumers and their financial data.” These stakeholders, a number of public and private sector leaders, preceded the President with several speeches and panels. Here are some key takeaways from these earlier speakers, as well as a brief look at President Obama’s remarks:
Collaboration is front and center. As… More
With every swipe of a credit card this holiday season, consumers put their faith in the companies that process and store their information. Yet, it is no secret that data breaches are on the rise, hitting companies large and small. Massive data breaches recently struck Target and Home Depot, to just name a few, and these two breaches alone affected hundreds of millions of consumers and cost the companies hundreds of millions of dollars. Sony Pictures… More
Last week, the HHS Office of Inspector General released a damning report on FDA’s data security: “The objective of this review was to determine whether the FDA’s network and external Web applications were vulnerable to compromise through cyber attacks.” In short, they were vulnerable:
Overall, FDA needed to address cyber vulnerabilities on its computer network. Although we did not obtain unauthorized access to the FDA network, we identified the following issues:
Web page input validation was inadequate, external systems did not enforce account lockout procedures, security assessments were not… More
The highly publicized hacking of the iCloud accounts of dozens of celebrities was disclosed over Labor Day weekend and has raised larger, more serious concerns regarding the security of personal and corporate data held in the cloud.
Several explanations for how the hack was achieved have been offered, with some initial pointing the finger at potential flaws in Apple’s security system. In a press release on Tuesday, Apple denied that the hacking stemmed from “any breach in any of Apple’s systems,” and pointed to “a very targeted attack on user names, passwords and security questions,… More
As previously discussed here, Target suffered a massive data breach at the end of last year that compromised the information of 70 million or more consumers. Within days of the announcement, class action lawsuits were filed against Target around the country, including in California, Massachusetts, Minnesota, Ohio, and Utah. These class actions fall into three general categories: (1) those brought by consumers whose information was compromised; (2) those brought by financial institutions such as banks and credit unions that service these consumers; and (3) derivative actions brought by Target shareholders.
In April,… More
Data breach law in the United States might have just become a lot less patchy, but a little more uncertain. On April 7, 2014, the District Court of New Jersey decided FTC v. Wyndham Worldwide Corp., et al., No. 13-1887-ES. This case arises out of a FTC action, brought under the deception and unfairness prongs of Section 5(a) of the FTCA (15 USC s. 54(a)), against Wyndham Worldwide relating to a series of data breaches between April 2008 and January 2010. The question before the court, on a 12(b)(6) motion to dismiss brought by Wyndham,… More
I usually do not re-post directly from the FTC, but given the timeliness of the subject, the wide impact of the problem and the technical nature of the issue, I thought it was warranted to re-post the FTC’s guidance on Heartbleed. Talk to your IT folks about this sooner rather than later:
By Nicole Vincent Fleming
April 11, 2014 – 4:23pm
If you’re thinking “Heartbleed” sounds serious, you’re right. But it’s not a health condition. It’s a critical flaw in OpenSSL, a popular software program that’s used to secure websites and other services (like… More
Cybersecurity remains a hot topic for regulators, including the Securities and Exchange Commission (SEC). On March 26, 2014, the SEC hosted a roundtable to discuss cybersecurity and the issues and challenges it raises for market participants. The roundtable addressed cybersecurity concerns for investment advisers, broker-dealers and public companies, and provided a forum to share information as to how they are addressing those challenges. This roundtable follows hard on the heels of the Financial Industry Regulatory Authority (FINRA) sending targeted sweep letters in January-February 2014 to broker-dealers querying their approaches to managing cybersecurity risks.
Triple-S Salud Inc., a Puerto Rican health insurer, has been hit with a $6.8 million penalty from the Office of Civil Rights of the Department of Health and Human Services for a massive data breach. Triple-S (known as ASES in Spanish) has posted a notice on its website regarding the breach.
The penalty, which also is described in a securities filing, is based a breach involving 13,336 of Triple-S’s Dual Eligible Medicare beneficiaries. This penalty dwarfs the previous record fine of $4.3 million, which was related to non-cooperative behavior after a breach by Cignet Health in 2011.
Sony Class Action Has A Few Lives Left; Most of Plaintiffs’ Claims Dismissed But Certain Consumer Claims Remain
On January 21, 2014, U.S. District Judge Anthony Battaglia issued a 97 page orderthat dismissed the majority of the claims in a putative class action against various Sony entities, claims relating to the 2011 hack into the computer network system that Sony used to provide online gaming and Internet connectivity through PSP handhelds and PS3 game consoles.
According to Judge Battaglia, “The fifty-one claims alleged in the FACC can be categorized into nine sub-groups: (1) negligence; (2) negligent misrepresentation; (3) breach of express warranty; (4) breach of implied… More
As previously discussed here, Target suffered a massive data breach that compromised the credit and debit cards of many of its customers. Now that the dust has started to settle, the extent of the breach is becoming clearer. In December, Target announced that 40 million credit and debit card numbers were stolen in this hack. Further investigation has uncovered that hackers also obtained the “names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.” While there is probably some overlap between the two groups, Target says that it still does not know the extent… More
Now that the initial media blitz about the massive Target breach has passed, it is time to look ahead at the implications:
Legislation: In the past, we have seen major breaches drive legislative change. But now that most states have data security statutes, it seems unlikely that much will happen at the state level. And action at the federal level has been long promised, but remains a distant vision. Law enforcement: While the actual hackers may remain elusive, Target is an easy target. Expect significant investigations, record-setting financial penalties and a burdensome compliance agreement for Target. And, of course,… More
A recent article in Law360 discusses how “technical problems plaguing the Affordable Care Act’s online insurance marketplace could expose vast amounts of personal data to theft….” I noted in that article that while these concerns were valid, they are simply expanded versions of existing exposures in payor databases:
“Will breaches and improper disclosures happen as part of the new federal and state exchanges? I wouldn’t bet against it,” said Foley Hoag LLP privacy and data security practice co-chair Colin Zick. “But it’s not a new world — just an expansion of the existing one.”
So far, the simple access… More
Apple’s latest iteration of the iPhone (the iPhone 5S) went on sale last Friday. The phone contains a new feature called Touch ID, which allows iPhone owners to unlock and purchase content from Apple’s online store using a fingerprint reader housed in the iPhone’s home button. As expected, Apple’s use of biometric authentication has raised a number of security and privacy concerns among the public. For example, Senator Al Franken sent a letter to Apple stating that “important questions remain about how this technology works, Apple’s future plans for this technology, and the legal protections that Apple… More
In the following article from Massachusetts Lawyers Weekly (reprinted with permission), Brian Bialas comments on the latest Computer Fraud and Abuse Act case, and the resultant split in the District of Massachusett on how to interpret the CFAA:
Ex-employees sued over computer use Judge narrowly construes CFAA
By Eric T. Berkman
A technology company could not sue former employees for downloading proprietary information onto personal storage devices before they joined a competitor without showing that the employees had physically accessed the information through fraudulent or unlawful means, a U.S. District Court judge has ruled.
The employer brought the… More
Recent Massachusetts Supreme Judicial Court Case Starts a Wave of Lawsuits Against Retailers for Collecting Customer ZIP Codes
In a recent decision, the Massachusetts Supreme Judicial Court (SJC) determined that customer ZIP Codes are “personal identification information” that retailers are prohibited from collecting during credit card transactions. With this decision, the Massachusetts high court may have set off a wave of new class-action lawsuits against retailers that collected customer ZIP Codes. Especially vulnerable are those retailers that collected customer ZIP Codes and used them to send unwanted marketing materials or sold the ZIP Codes or information derived from them to third parties. But any retailer that has collected ZIP Codes should be on… More
The revised HIPAA regulations were formally published today in the Federal Register. In this form, they only take up 138 pages!
Law360 has a brief piece on the revised HIPAA rules, with the perspectives of various attorneys (including me) on the changes. While I’m not sure I agree with the quote that “This is a paradigm shift in the privacy world,” I do agree that this is “definitely something for all businesses to pay attention to.” Similarly, I agreed that “now that the starting gun has sounded, it’s a race to get ready by the Sept. 23 compliance… More
On January 18, 2013, nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services (“HHS”) has finally issued major “omnibus” revisions to HIPAA’s privacy and security regulations.
In the 563 pages of the regulations and related regulatory comments, there are many substantive and technical changes. However, we distilled two major themes in these revisions:
Extension of HIPAA generally, and in particular the direct extension of HIPAA to business associates and their subcontractors, so that now… More
Massachusetts Attorney General Secures $140,000 Settlement of Claims that Patient Information Was Left in a Town Dump
The Massachusetts Attorney General announced today that the former owners of a medical billing practice and four pathology groups have agreed to collectively pay $140,000 to settle allegations that medical records and patient billing information for “tens of thousands of Massachusetts patients were improperly disposed of at a public dump.” Under the settlements, the defendants have agreed to pay a total of $140,000 for civil penalties, attorney fees, and a data protection fund to support efforts to improve the security and privacy of sensitive health and financial information in Massachusetts.
The Attorney General alleged that Joseph and Louise Gagnon, d/b/a Goldthwait Associates, violated Massachusetts data security… More
The Department of Health and Human Services’ Office for Civil Rights (“HHS OCR“) announced today that it was, for the first time, entering into a monetary HIPAA settlement for a breach involving less than 500 patients: the Hospice of North Idaho (HONI) has agreed to pay HHS OCR $50,000 to settle potential HIPAA security rule violations.
HHS OCR began its investigation after HONI reported to it that an unencrypted laptop computer containing the electronic protected health information (“ePHI”) of 441 patients had been stolen in June 2010. Laptops containing ePHI are regularly used by the organization as part of their field work. Over the course of… More
It was a pleasure to be on a panel with members of the Massachusetts Office of the Attorney General last week at the Massachusetts Medical Society to talk about how physicians can protect health information in our presentation entitled: “Protecting Health Information: Health Data Security Training.” We covered the latest in federal law (HIPAA, HITECH) and Massachusetts law.
Another Massachusetts Health Care Provider Hit with Big HIPAA Settlement: Massachusetts Eye and Ear Infirmary Pays $1.5 Million
Late yesterday, the HHS Office for Civil Rights (“OCR”) announced that it had reached a $1.5 million settlement with Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (“MEEI“) to settle potential HIPAA Security violations. As part of the settlement, MEEI also agreed to a Corrective Action Plan to improve policies and procedures to safeguard the privacy and security of its patients’ protected health information.
OCR’s investigation followed a breach report submitted by MEEI, as required by the HIPAA Breach Notification Rule, reporting the 2010 theft of an unencrypted personal laptop containing the electronic protected health information of MEEI patients and research subjects while… More
The new system is called the Next Generation Air Transportation System, or NextGen. It will be highly automated. It will rely on GPS instead of radar to locate planes, and it is designed to allow air traffic controllers and pilots to pack more planes, helicopters and eventually drones into our skies.
The trouble is that NextGen can be (and has been) hacked, even before it’s been formally rolled out. According to the NPR report, the FAA’s response to this hacking has been quite mild:
A recent story in the Wall Street Journal discusses how small businesses can push back against banks which do not provide sufficient security for their bank accounts. The article focused on the recent First Circuit decision, Patco Construction Co. v. People’s United Bank, involving a bank account that had been drained by multiple fraudulent transactions. As described by the court in its opinion:
Over seven days in May 2009, [People’s United] Bank, a southern Maine community bank, authorized six apparently fraudulent withdrawals, totaling $588,851.26, from an account held by Patco Construction Company, after the… More
You may have missed it, because it came without fanfare and does not seem to have made the data security trade press, but in early May, the State of Vermont updated its data security law. In particular, these revisions to 9 V.S.A. chapter 62 do the following:
change the information protected to “personally identifiable information” (it was formerly “personal information”); exclude from the definition of “security breach” mere “unauthorized access” and “good faith but unauthorized acquisition” of PII; require notice of breaches now be made “45 days after the discovery or notification”; and require entities suffering a breach to “provide notice… More
A Few Thoughts from Deputy Undersecretary for Cybersecurity, Mark Weatherford, Department of Homeland Security
On May 16, Deputy Undersecretary for Cybersecurity, Mark Weatherford, spoke to the Advanced Cyber Security Center about DHS’s cyber security priorities: Information Sharing, R&D, and the Advanced Persistent Threat.
On Information Sharing: This is a continuing challenge, in part because of the way the federal government shares information. At present, the federal government provides cyber threat information to private sector organizations, but prohibits discussion between those very organizations. His Office at DHS is working to address this unintended siloing of information, so as to allow for greater cooperation and collaboration.
On Research and Development: He views cyber security… More
Data Breaches Keep Privacy and Security Lawyers Increasingly Busy and Looking for Recruits, But Recruits Are Hard to Find
Interesting article from Of Counsel regarding both the substance and the business of data privacy and security law. Lawyers from several firms (including me) talk about current and pending legislation, the mechanisms of compliance and breach response, and the pipeline for new lawyers in the field of data security and privacy.
One of the other attorneys discussed the shortage of trained attorneys in this area as follows:
You’d think, "Well heck, privacy has been around forever." But this is different. At law schools they need to find someone to teach this,… More
Data Breaches Continue To Be A Problem For Health Care Providers: South Shore Hospital (Massachusetts) Pays $750,000 To Settle Data Breach Charges
An aptly-timed article from Mass High Tech Business News noted earlier today that: “Data Breaches [Are] a Growing Problem in Health Care.” This article focused on a recent breach at Boston Children’s Hospital involving the records of 2,000 patients.
The article was prescient, as this afternoon, the Massachusetts Attorney General announced a $750,000 settlement with suburban Boston’s South Shore Hospital, relating to a 2010 data breach.
According to the Attorney General’s press release:
South Shore Hospital has agreed to pay $750,000 to resolve allegations that it failed to protect the personal and confidential health information of… More
The Massachusetts Office of Consumer Affairs and Business Regulation has issued its first annual report on data breaches. Since Massachusetts has one of the more strict state laws on data security and breach reporting, this report bears close attention for trends across the nation. Some of the highlights in this summary, which covers 2007-2011:
Through September 30, 2011, the largest share of breaches was not in the financial sector, but in the retail and healthcare industries, along with government. Since the Data Security law, c. 93H, went into effect, the Office of Consumer Affairs and Business… More
In an article that repeats a common theme in this space, this week’s Economist talks about how researchers are trying to help ordinary people toughen up their passwords. But despite the efforts of these researchers, the article’s conclusion is a gloomy one:
The upshot is that there is probably no right answer. All security is irritating (ask anyone who flies regularly), and there is a constant tension between people’s desire to be safe and their desire for things to be simple. While that tension persists, the hacker will always get through.
Ponemon “data breach” cost
$1.5 Million Settlement of First HIPAA Enforcement Action Resulting from HITECH Breach Notification Rule
The trend toward increasingly large health information breach settlements has continued with yesterday’s announcement thatBlue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of HIPAA’s Privacy and Security Rules, HHS’s Office of Civil Rights. BCBST also agreed to a corrective action plan to address gaps in its HIPAA compliance program. The enforcement action is the first resulting from a breach report required by the HITECH Act’s Breach Notification Rule.
The investigation started with a notice submitted by BCBST to HHS reporting… More
Recent press reports of massive Chinese-sponsored hacking at the one-time telecom giant Nortel might cause you to throw up your hands and say, what chance do I have against such forces? A closer look suggests that there is much that can be done, and should be done, both in IT security and in the sale and acquisition of assets.
Apparently Nortel found and investigated the breach in question, but did not try to determine if its products were compromised. Nortel’s internal structure also provided little barrier to hackers; according to a Wall Street Journal interview of a former employee, "Once you were… More
An Atlanta, Georgia man was sentenced earlier this month to one year and one month in prison for intentionally accessing a computer of a competing medical practice, and taking personal information of the patients. The individual made this improper access in order to send marketing materials to patients at the other practice.
The individual worked as an information technology specialist for a perinatal medical practice in Atlanta. He separated from employment from the first practice and joined a competing perinatal medical practice, located in the same building. He then used his home computer to hack into his former employer’s patient database. He downloaded the names, telephone numbers, and addresses… More
My overview of some of the major issues involved in signing a cloud computing agreement can be found in searchcloudcomputing, "Performing Due Diligence Before Signing a Cloud SLA."
* * *
No one is certain of all the legal risks associated with enterprises storing confidential or proprietary information outside the corporate firewall — in the cloud. However, there is growing consensus about what companies should ask cloud vendors to maintain a secure IT environment and avoid potential legal risks associated with the cloud.
General areas of concern surrounding the cloud are… More
“Once More Unto the Breach, Dear Friends, Once More”: The Increasing Recognition of Complexity in Data Breach Response and Reporting
In an article in today’s New York Times, we get some real-life insight into the difficulties in responding to a data breach. Even simple questions, like whether or not to report the breach and who is responsible for reporting it, take on unforeseen complexity.
The particular breach in question happened at the Massachusetts eHealth Collaborative, when an employee’s car was broken into and a company laptop stolen. The ramifications included:
spending nearly $300,000 in legal, private investigation, credit monitoring and media consultancy fees; devoting 600 person-hours of staff time to the breach; hiring a crisis team of lawyers and customers and a chief security officer; hiring… More
At most restaurants, when the time comes to pay the check, you hand over your credit card and a waiter you’ve known for only about an hour takes off with your credit card. You trust that the waiter will only charge your meal and won’t make off with your card number. But if you ever have been to a Legal Sea Foods restaurant, you will notice that the waiter brings a handheld electronic device to your table to swipe your credit card when you are ready to pay the bill. The credit card never leaves the customer’s sight.
Interesting findings in the Unisys Security Index for the United States regarding what Americans say they would do in the event that they learned of a security breach suffered by an organization with which they were dealing:
Change passwords on that organization’s website and other sites (87%) Stop dealing with that organization entirely (76%) Publicly expose the issue (65%) Take legal action (53%) Continue dealing with the organization but not online (31%)
There is an interesting article in this week’s Boston Business Journal on venture capital in the data security space: "Securing profits: Venture capitalists betting online security will be big money-maker."
Late last week, the U.S. Court of Appeals for the First Circuit ruled that victims of a data breach could pursue compensation from the merchant whose systems were breached for their costs of credit card replacement and identify theft insurance, under theories of breach of implied contract and negligence. See Anderson v. Hannaford Brothers Co., — F.3d —, 2011 WL 5007175 (1st Cir. Oct. 20, 2011).
As alleged by the plaintiffs in their class-action complaint, the Hannaford Brothers grocery store chain suffered a data breach resulting in 1800 fraudulent charges worldwide and hackers stealing up to 4.2 million credit… More
It was revealed recently that Sony’s on-line services were the subject of another significant attack. This incident, however, did not exploit a vulnerability in Sony’s security infrastructure so much as it highlighted the cascading effect of data breaches.
Rather than try to scale any fences or jimmy any windows, this attack used account holders’ own keys to open the front door. According to a statement by Sony, the attackers tested a “massive set” of log-in credentials, consisting of pairs of user IDs and passwords, against accounts on three of its networks. Even though the “overwhelming majority” of the log-in attempts failed,… More
Please join me and my friends at Co3 Systems for a free webinar,"Data Breaches & Compliance: Understanding The Law and How You Can Prepare" to be held on Thursday, October 20, 2011 1:00 p.m. – 2:00 p.m. EDT. To add this webinar and the call-in information to your Outlook calendar, click here. I will be presenting with Ted Julian of Co3; Ted brings a wealth of experience from working at Arbor Networks, Application Security, Inc. and @stake (which was acquired by Symantec), and he helped spearhead security practices with Forrester, IDC and Yankee Group.
As noted in MassHighTech, the Advanced Cyber Security Center was officially launched on September 20. The program was opened by Massachusetts Governor Deval Patrick and featured a presentation from Attorney General Martha Coakley. As described by MassHighTech:
Touted as a first of its kind collaborative effort that brings together stakeholders in cyber security from the government, industry and academia, the ACSC is also hosted at the five universities that make up the Massachusetts Green High Performance Computing Center – MIT, Harvard University, Boston University, Northeastern University and the University of Massachusetts.
The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8. This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies. In particular, Senator Blumenthal’s bill, “The Personal Data Protection and Breach Accountability Act,” would required businesses that collect the personal information of over 10,000 customers to employ specific privacy and security measures, including risk assessment, regular testing of system controls, and paying for two years of credit monitoring for any customer whose data is breached. If adopted, this bill would permit the… More
A recent Massachusetts case shows that even prisoners have a right to privacy in their medical records. In this case, Alexander v. Clark, Suffolk Superior Court, Civil Action No. 0905456-H 28 Mass. L. Rptr. No. 14, 291 (May 30, 2011), the court sided with the claim of a prisoner that her health information had been wrongfully disclosed. In particular, the prisoner, Christine Alexander, sued several correction officials because those officials had sent documents regarding her “request for Propecia for hair loss” to another inmate without her permission.
The court found that the inmate-patient had a claim under the Massachusetts Privacy… More
The Privacy Rights Clearinghouse has created in an interesting tool, a "Chronology of Data Breaches." It doesn’t promise that it is comprehensive; what it does say is that it is a "useful indication of the types of breaches that occur, the categories of entities that experience breaches, and the size of such breaches."
When we last looked at OCR’s reporting on HIPAA breaches impacting 500 or more individuals, back in May 2011, there had been 265. This was up from September 2010, when there had been 191 such breaches. As of today, there as 292 listed. Given that the last reported date of breach on the OCR’s list is May 8, there are surely over 300 breaches that have now been reported.
In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with those rules. This follows on the heels of Massachusetts General Hospital’s $1 million settlement with OCR.
The resolution agreement resolves two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLAHS. The complaints… More
hackers Anonymous “Lulz Security”
Increasingly, alliances are viewed as an important way to improve data security. The Washington Post reports that the National Security Agency is now working with Internet service providers to thwart cyberattacks against defense firms by foreign adversaries. We have previously noted two other initiatives: the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel).and InfraGuard, a Federal Bureau of Investigation program. One of the oldest and best examples of successful collaboration is PCI, the credit card industry’s security program.
We are six months into 2011, and it seems destined to be “The Year of the Breach.” In just the past few months, major American (and multi-national) corporations and institutions have reported that they have been the victims of some kind of security breach:
Epsilon: breach of customer email addresses; RSA: compromise of security tokens (possibly impacting Lockheed Martin); Citigroup: breach of credit card numbers: Sony: multiple thefts of customer data; Sega: customer data theft; and ADP: breach of its benefits-administration business.
What does this mean? First, there are simply more breaches to report. Second, companies are being more open about… More
Does Briar Group’s Massachusetts Settlement Create a New Legal Standard That Businesses Must Meet to Protect Personal Information?
A recent settlement in a data breach case exemplifies how the government can go beyond a statutory scheme and use private industry standards to protect personal information and impose sanctions on violators.
The Massachusetts AG filed suit against the Briar Group, the owner of a number of bars in the Boston area (including two of my personal favorites, the Harp and Ned Devine’s) in the wake of a 2009 data breach involving credit card numbers and other personal data. The AG’s complaint alleged, among other things, that the Briar… More
On May 5, a consumer class action was filed against Sony, relating to the data breaches in its Sony PlayStation and related services. The complaint alleges negligence, invasion of privacy and misappropriation of confidential financial information, as well as breach of express and implied contract. No specific damages were alleged.
Sony Breach Update: The Scope Expands, While Consumers Wait for Answers About How and Why It Happened
The scope of the Sony data breach is growing, but the public focus continues to be on Sony’s actions following the breach, rather than on steps to prevent or mitigate events like these in the first place. As we noted earlier, this focus emphasizes a de facto burden-shifting, in which consumers bear the risk of using on-line or other services, and also are left to face the consequences of any resulting identity theft.
Sony last week announced that 77 million PlayStation and Qriocity accounts had been accessed by hackers in mid-April. This week, Sony discovered that an… More
Sony’s unenviable status as the victim of the record theft of 77,000,000 individuals’ personal information underscores a reality that the on-line business community would like its army of customers to forget: it’s not just that the so-called “hackers” can be very good at what they do, it’s that the appointed guardians of legally protected personal information are not necessarily awake at the switch. Two weeks after this “illegal and unauthorized” intrusion — which took place sometime between April 17 and April 19, there is still no confirmation that Sony’s PlayStation and its related service, Qriocity, had adequate (or any)… More
When we last looked at OCR’s reporting on HIPAA breaches impacting 500 or more individuals, back in September 2010, there had been 191 such breaches. In the intervening 7 months, that number has jumped to 265 such breaches listed on OCR’s website. It’s safe to expect these figures will continue to climb for the foreseeable future.
In the April 22, 2011 Boston Business Journal article, entitled, "Pressure Point: Online Privacy — Privacy is Potentially a Costly Workplace Issue," I was interviewed regarding some of the recent developments in privacy and security law for employers:
“Most of the time, data breaches don’t come down to a failure of technology or inadequate technology. It comes down to someone doing something stupid,” said Colin Zick, a partner in the Boston office of Foley Hoag. “In the Mass General case, an employee took some records on the Red Line and lost them.” “When companies are bombarded with… More
If you are like me, you may have received an email from TripAdvisor, alerting you that "an unauthorized third party had stolen part of TripAdvisor’s member email list." The text of that email was as follows:
To our travel community: This past weekend we discovered that an unauthorized third party had stolen part of TripAdvisor’s member email list. We’ve confirmed the source of the vulnerability and shut it down. We’re taking this incident very seriously and are actively pursuing the matter with law enforcement. How will this affect you? In many cases, it won’t. Only a portion of… More
On March 14, the California-based managed care organization, Health Net, Inc., announced that it cannot account for "several server drives" that contained protected health information. According to California regulators, these servers appear to contain the data of 1.9 million people nationwide:
The company announced today that nine of its server drives containing personal information for 1.9 million current and past enrollees nationwide are missing, including records for more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in California Department of Insurance products, and a number enrolled in Medicare..
Since this is the… More
As we noted earlier this month, Massachusetts General Hospital recently entered into a $1 million Resolution Agreement and Corrective Action Plan with the Department of Health and Human Services’ Office of Civil Rights. This settlement stemmed from an incident on March 9, 2009, when a MGH employee was commuting on the subway, "removed documents containing PHI from her bag and placed them on the seat beside her. The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the MGH employee left the documents on the subway train and they were never recovered. These documents contained the… More
Compliance Approaches in the Changing HIT Privacy and Security Landscape: How You Can Nurture a Culture of Health Information Security and Privacy
My slides from this presentation, "Compliance Approaches in the Changing HIT Privacy and Security Landscape: How You Can Nurture a Culture of Health Information Security and Privacy" cover HIPAA and HITECH developments and compliance, with a focus on breaches and OCR settlements/penalties, including:
§Resolution Agreement with Providence Health & Services–July 16, 2008 Settlement: $100,000 §Resolution Agreement with CVS Pharmacy, Inc.–January 16, 2009 Settlement: $2.25 million §Resolution Agreement with Rite Aid Corporation–July 27, 2010 Settlement: $1 million §Resolution Agreement with Management Services Organization Washington, Inc.–December 13, 2010 Settlement: $35,000 §Civil… More
As we noted back in May, digital copiers have caught the eye of government privacy enforcers. If you have a digital copier at your business, you should review the FTC’s Copier Data Security: A Guide for Businesses. In that Guide, the FTC suggests that “your information security plans . . . should cover the digital copiers your company uses. If the data on your copiers gets into the wrong hands, it could lead to fraud and identity theft.”
You Call That a Password? Passwords Used to Protect Personal Health Information in Clinical Trials Are Cracked More Than 90% of the Time
In a recent article in the Journal of Medical Internet Research, the strength of passwords in clinical trials was analyzed. In all cases that were examined, "the recovered passwords were poorly constructed, with names of local locations (e.g., “ottawa”), names of animals (e.g., “cobra”), car brands (e.g., “nissan”), and common number sequences (e.g., “123”)."
This result comes as no real surprise. These conclusions build on prior studies which have repeatedly shown that password strength is weak. It is perhaps the easiest and cheapest way to increase IT security and yet it continues to receive short shrift.
The study also noted that "the files… More
500 Is a Magic Number: Health Information Breaches Impacting 499 or Fewer Patients Likely Go Uninvestigated By OCR
In the recently-released fiscal 2012 budget for HHS, a dirty little secret has been acknowledged: the Office of Civil Rights does not have the resources to review all reported breaches of health information. In fact, if you have a breach that impacts up to 499 people, you are unlikely to hear from OCR at all:
Current OCR practice is to validate, post to the HHS website, and subsequently investigate all breach reports that impacted more than 500 individuals. Breach reports that impacted fewer than 500 individuals are compiled for future reporting to Congress; however they are treated as discretionary and… More
As so often happens following a hospital’s involvement in a high profile event, the Tucson hospital treating the victims of the recent shooting is reported to have fired several staff, presumably for looking at patient records they should not have looked at:
Katie Riley, the Director of Media Relations in the Office of Public Affairs at the
Arizona Health Sciences Center said in a statement:
“University Medical Center takes the privacy of all patients very seriously. The hospital has terminated three clinical support staff members this week for inappropriately accessing confidential electronic medical records, in accordance with… More
In January, we provided some helpful hints about passwords, in our entry: Is Your Password Still "123456"? If So, It’s Time for a Change.
It’s been nearly a year, so it’s time to change your password again. In case you need some help, we liked the guidance provided by the public radio program, Marketplace, in a recent broadcast. Ironically, these recommendations come from an expert whose company’s password databases had just been hacked.
Following on the heels of the discovery of hospital records in a town garbage dump, today’s Boston Globe reported that "computer files that possibly contained personal information on about 800,000 people connected to South Shore Hospital are ‘unrecoverable.’" However, the investigation into this breach determined that there was a low of harm risk to those individuals whose records were lost, given that the tapes in question "would require specialized equipment and software to read the information."
According to a report in the Boston Globe, TJX has settled a lawsuit brought by the Louisiana Municipal Police Employees’ Retirement System, a TJX stockholder, which had alleged that the TJX board of directors failed to protect customers’ personal data, apparently in connection with Alberto Gonzalez breach. Bloomberg News has reported the case was settled for $595,000 in legal fees and an agreement regarding enhanced oversight of customer files. There is no reference to this suit in TJX’s most recent Form 10-Q.
Last week, the Ponemon Institute and PGP Corporation released the results of their Global 2009 Annual Study on Cost of a Data Breach (.pdf) [available directly from EncryptionReports]. The highlights of the survey were announced in PGP’s press release. Ponemon surveyed companies in the U.S., UK, Germany, Australia and France and found that in 2009, the average cost of a data breach was $3.4 million. That is $142 per customer affected by the breach.
Unfortunately for U.S. businesses, the survey found that data security breaches… More
One Million Impacted by Blue Cross Blue Shield of Tennessee Data Breach: How Do You Remediate on that Scale?
Blue Cross Blue Shield of Tennessee announced last week that nearly 1 million of its members have been affected by the theft of hard drives containing unencrypted personal data. BCBSTN had previously announced in January that 1.6 million files with unencrypted personal and protected health information of about 500,000 members in 32 states were breached in October 2009, due to a theft of 58 hard drives.
While the breach itself is significant for its size, the subsequent remediation efforts are also worthy of note. As of April 2, a total 998,422 current and former BCBSTN members have been identified and 550,873 notifications have been sent indicating that their personal information was… More
Last week, lawyers from Microsoft issued a demand under the Digital Millennium Copyright Act (DMCA) seeking the removal of leaked copies of Microsoft’s “Global Criminal Compliance Handbook” that pulled website Cryptome.org from the Internet, at least temporarily. The DMCA provides copyright owners with the ability to request that internet service providers remove infringing materials from websites. Microsoft’s DMCA demand to Cryptome’s service provider, Network Solutions, apparently resulted in removing Cryptome from the Web entirely, until Microsoft attorneys sent an email withdrawing the DMCA takedown demand.
Microsoft made this public statement:
Like all service providers, Microsoft must respond… More
At the end of February, the HHS Office of Civil Rights (“OCR”) posted on its website a list of HIPAA “covered entities” that have reported breaches of unsecured health information affecting more than 500 individuals. OCR’s posting showed 35 health data breaches that impacted over 700,000 individuals (with individual breaches ranging in size from 359,000 individuals, due to the theft of a laptop to 501 individuals impacted by the theft of a portable USB device).
1. The FTC Fines Las Vegas Man $35,000 for Dumping Customer Financial Records In Public Dumpster
This week, the FTC finalized a $35,000 settlement with Gregory Navone, the real estate broker who left 40 boxes of customer tax returns, bank statements, consumer reports and other financial records in a public dumpster behind an office building in Las Vegas. The defendant agreed to the fine, which amounts to $875 per box, as well as a stipulated order (.pdf) requiring him to adopt a comprehensive written information security program. We first posted on this case a year ago,… More
If you or your co-workers use any of the passwords listed below, you are asking to be hacked. According to a report from the consulting firm Imperva, this list reflects an analysis of some 32 million passwords that an unknown hacker stole in December 2009 from RockYou, a company that makes software for users of social networking sites. Somewhat shockingly, the password “123456” was used by nearly 1% of all RockYou users; the “top 20” RockYou passwords are reproduced below:
123456 12345 123456789 Password iloveyou princess rockyou 1234567 12345678 abc123 Nicole Daniel babygirl monkey Jessica Lovely michael Ashley 654321 Qwerty
Hackers around the… More
In the first instance of a state attorney general exercising the new powers granted by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), Connecticut Attorney General Richard Blumenthal (and recently announced candidate for the U.S. Senate) filed suit today against Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 enrollees in Connecticut and for failing to promptly notify consumers of the security breach. AG Blumenthal is also seeking a court order to require Health Net to encrypt any protected health information (“PHI”) contained on a portable… More
The Department of Health and Human Services’ Office of Civil Rights (“OCR”) has tried to make a HIPAA security breach easy to report, with its newly-released online “Notice to the Secretary of HHS of Breach of Unsecured Protected Health Information.”
The online form is straightforward, featuring pull-down options tied to the new HITECH rules: it will let you report whether your breach is for more than 500 individuals (or fewer than that), the type and location of the breach, etc. OCR estimates the form will take 15-30 minutes to complete.
Interestingly, the form does not require a statement on penalty… More
Last week, it was learned that a secret report of the U.S. House of Representatives Ethics Committee was disclosed — apparently inadvertently — by a junior committee staff member. This staff apparently stored the file on a home computer that also ran a "peer-to-peer" file-sharing service. Just as peer-to-peer services let you share music and games, they also can give outside users access to other files on your computer, including in this case secret Congressional reports. The 22-page "Committee on Standards Weekly Summary Report" contained summaries of ethics investigations of dozens of House members and some of their staff.
Incident of the Week: ChoicePoint Settles FTC Charges That It Failed To Turn On “Key Monitoring Tool”
This week, ChoicePoint, Inc. finalized its settlement with the Federal Trade Commission (FTC) to resolve charges stemming from a 2008 breach that compromised the personal information of 13,750 consumers. This case is notable, even though the size of the breach and the monetary payment involved are relatively modest, because the underlying breach allegedly resulted from the ineffective implementation of security tools.
Incident of the Week: Ever-Growing Breach Involving Passwords for Hotmail, Gmail, Yahoo, AOL, Earthlink and Comcast
Incident of the Week: in our first double feature, we report on the recent breach announced at the University of North Carolina and the plea agreement reached with one Massachusetts inmate who hacked the prison computer system while still behind bars.
As we reported on April 2, a California hospital breached the privacy of the infamous "OctoMom," Nadya Suleman. When the breach was discovered, Kaiser Permanente’s hospital in Bellflower, California fired 15 employees. These violations also were reported by Kaiser to the California Department of Public Health, which has announced a $187,500 administrative penalty against Kaiser. CDPH has determined that the hospital "failed to prevent unauthorized access to patients’ medical information, as required by Section 1280.15 of the Health and Safety Code. The hospital compromised the privacy of four patients when eight employees improperly accessed records."
The penalty amount… More
In June, a team of researchers investigating the disposal of electronics in Ghana for PBS series Frontline discovered that computers dumped in Ghana still contained highly sensitive data from their prior owners. The researchers procured seven hard drives from the dump in Ghana and they contained credit card numbers and resumes. The highlight of the investigation was when they discovered unencrypted information from government contractor Northrop Grumman. The hard drives were was obtained by Frontline for $40.
In what it describes as an effort "[t]o protect the privacy and security of patients," the American Medical Association (AMA) last week adopted a lengthy report and related principles for physicians to follow in the event a patient’s electronic medical record were to be breached. The new AMA guidelines ask physicians to:
ensure patients are properly informed of the breach and the potential for harm; follow ethically appropriate procedures for disclosure, including: a) confidential disclosure of the breach in a timely manner; and b) describing what information was subject to… More
Last month, an unusual ransom demand was made on the Commonwealth of Virginia. See Encryption Used By Hackers to Demand Ransom for Virginia Prescription Database, May 5, 2009. In a posting late last week, the Virgina Department of Health Professions announced that it had sent a letter to affected individuals ("persons whose PMP records contained a nine-digit number that could be a social security number"). If you are crafting such a notice for your own use, this letter is of particular note. While it isn’t a universally-approved model, it would seem like a pretty good initial response to a claim… More
In this, the third and final part of Security, Privacy and the Law’s interview with M. Eric Johnson (Part 1 may be found here and Part 2 is here), Dr. Johnson talks about why the fragmented nature of the American healthcare system is so dangerous and why he believes greater consolidation would better protect private information. He also talks about the specific problems associated with data security on peer-to-peer file sharing networks.
In this, the second part of Privacy, Security and the Law’s three part interview with M. Eric Johnson (begun here), Dr. Johnson talks about why he thinks the healthcare sector is uniquely vulnerable to security breaches and what special problems that vulnerability poses.
Security, Privacy, and The Law recently had the chance to sit down with Dr. M. Eric Johnson to talk about his recent paper “Data Hemorrhages in the Health-Care Sector.” Dr. Johnson’s study has been in the news lately because many were startled by his finding that a great deal of patient healthcare information is available on peer-to-peer (P2P) file sharing networks. We are thrilled that Dr. Johnson agreed to do a interview with Security, Privacy, and The Law and we will be posting the full interview with Dr. Johnson in several parts.
The Wall Street Journal reported on Wednesday, March 18, 2009 that, worried about the dangers of attacks launched against the nation’s computer systems, the federal government is likely to spend between $15 and $30 billion on cybersecurity in the next five years. The intelligence experts interviewed by the Journal estimate that U.S. losses from data breaches to be in the billions of dollars annually and that future attacks could cause physical harm or serious financial chaos.
While future spending levels will not be set until after the White House’s 60-day review of the nation’s information infrastructure is completed, the potential… More
The saga of Yankee superstar Alex Rodriguez (“A-Rod”) and the revelation of his past steroid use already exemplifies the far-reaching implications of information security practices. But the story is far from over. While the media firestorm over A-Rod appears to be dying down, the fate of the identities of 103 other Major League Baseball players who tested positive for steroid use in 2003 remains undecided. And the outcome of a motion now before the United States Court of Appeals for the Ninth Circuit may affect not only those 103 baseball players, but numerous athletes from other sports whose drug test results… More
Data Breach: Not Only Can Happen to You, and Your Competitors (but Now It’s Being Publicly Reported)
As state data breach reporting regimes develop, we are going to be seeing more reporting of breaches to law enforcement authorities. If you want to see what this abstract concept of “reporting” looks like (and how your own reports might be listed for the public to see), go to the web site of the New Hampshire Attorney General. On that site, you can read about 20 New Hampshire breaches that have been reported thus far in 2009 for that modestly sized state. And if you want to get a feel for the national scope of data breaches, check out the Identify… More
Man Sentenced to 12 Months of Probation and Community Service for Illegal Access to Obama’s Passport Records
Dwayne F. Cross, the second of three people who have plead guilty to illegally accessing then Presidential Candidate Barack Obama’s passport files was sentenced to 12 months probation and 100 hours of community service on Monday. Mr. Cross admitted to accessing State Department passport records involving over 150 individuals, including celebrities, family members, and personal acquaintances, out of “idle curiosity”. These files contained a wealth of personal information including social security numbers, phone numbers, emergency contact information, and photographs.
As discussed by Mike Rosen on Foley Hoag’s Noncompete Blog here, and reported by the Washington Post and CNN, a recently released report by Symantec Corp. and the Ponemon Institute (which can be found here) revealed that 59% of ex-employees who leave their employment are stealing company information, and 67% of those who admitted to stealing company information also admitted that they used that information to leverage a new job.
Between March 11, 2009 and March 13, 2009, the International Association of Privacy Professionals (IAPP) hosted a Privacy Summit in Washington, D.C. that featured keynote presentations from fraud expert Frank W. Abagnale and information security guru Bruce Schneier. The three-day event included dozens of breakout sessions with industry experts and government officials. Read some of the highlights below.
Has the Consumer Privacy Legislative Forum Decided to Abandon Efforts to Draft Federal Privacy Legislation?
In early February, I noted that a group called the Consumer Privacy Legislative Forum (“CPLF”), which includes companies such as eBay, Microsoft, Google and Hewlett Packard, had released a statement calling for comprehensive harmonized federal privacy legislation and would be outlining recommendations for such legislation this month. Apparently, the CPLF’s focus has shifted. According to a BNA Privacy & Security Law Report, 8 PVLR 331, the CPLF “has decided to abandon efforts to develop a set of principles for omnibus U.S. privacy legislation” and is instead “now focused on crafting an industry-wide self-regulatory framework that can be tested over time… More
This settlement is particularly interesting, given that it appears to stem from a voluntary disclosure, without any prejudice to any of the physicians whose information was disclosed. Despite those mitigating factors, the disclosure still resulted in a six-figure penalty. As such, this is another suggestion that the days of soft enforcement of health-related information confidentiality are over.
The Queen’s Medical Center (“QMC”) of Hawaii recently agreed to pay $150,500 in civil money penalties for allegedly violating the confidentiality requirements applicable to National Practitioner Data Bank (“NPDB”) information. OIG alleged that QMC improperly disclosed confidential information.
According to the settlement documents, QMC… More
For those who want to see the source document, we have provided this link to the text of the American Recovery and Reinvestment Act of 2009. The health security and privacy provisions start at Section 13000, around page 112.
Adding to the Patchwork: HITECH Act Sets New “Floor” for Data Breach Notification of Certain Patient Information
On Tuesday, February 17, 2009, President Obama signed into law the widely-debated federal economic stimulus package, officially titled the American Recovery and Reinvestment Act of 2009, and with it, enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Much of the media attention on the HITECH Act has focused on the policies promoting health information technology a topic that President Obama touted throughout his campaign. However, the HITECH Act also contains myriad regulations that expand the security and privacy provisions of the Health Information Portability and Accountability Act of 1996 ("HIPAA"), and generally extends some of those regulations… More
ALERT: Massachusetts Gives Businesses Until January 1, 2010 to Adopt Information Security Programs To Comply With Recent Identity Theft Regulations
On Thursday, February 12, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued a public statement indicating that it is extending the May 1, 2009 deadline to comply with recent Massachusetts identity theft regulations until January 1, 2010.
The Massachusetts identity theft regulations affect entities that own, license, store or maintain personal information, including social security numbers, state identification numbers and financial account information, about any Massachusetts residents. Under amended regulations filed Thursday, individuals and businesses covered by the regulations must evaluate existing security measures and implement written information security programs on or before… More
It has been a bad week for the federal government’s own information security track record.
The first story comes from the FAA where hackers broke into the agency’s computer systems and stole personal information on some 45,000 individuals. The second story comes from Los Alamos National Laboratory, which confirmed the theft of 67 computers, 13 in the past year alone. In both instances the American people appear to have dogged a bullet. The electronic intrusion into the FAA appears to have been limited to a raid of personal information and did not interfere with air traffic control systems. Also, the physical thefts… More
According to the Identity Theft Resource Center’s (ITRC) recently released report (.pdf) on data breaches in 2008, one of the top five causes of data breaches are what the ITRC labels “accidental exposure.” [For our earlier coverage on the ITRC’s report see this link.] The ITRC reports that accidental exposure amount to 95 of the 656 data breaches in 2008.
ITRC considers “accidental exposure” to be those breaches caused by “inadvertent internet/web posting.” For example, consider the accidental exposure the ITRC labels as “ITRC20080709-02”. In this highly publicized case, an employee at Wagner Resource Group installed the peer-to-peer file sharing… More
According to a recently-released report from McAfee, the downturn in the economy is creating a “perfect information security risk storm.” The report, entitled “Unsecured Economies: Protecting Vital Information,” can be found here [Note: MacAfee requires registration to downloade the report]. McAfee bases its findings on a worldwide survey of 1,000 IT decision makers.
The McAfee Report makes four key findings:
Increasingly, important digital information is being moved between companies and across continents and is being lost. The global economic crisis is increasing pressure on companies to cut spending across the board, including spending on data security, which leads to increased opportunities from outside… More
Most of us remember fondly the Winnie-the-Pooh stories by A.A. Milne from our childhood. One that is memorable for me is “Piglet Meets a Heffalump.” In that story, Winnie-the-Pooh and Piglet plot to catch the new animal they believe is living in the Hundred Acre Wood. They have named this animal the Heffalump. They set a trap for the Heffalump, but instead of catching it, Pooh instead becomes trapped in the hole he had dug to catch the Heffalump. To add insult to injury, Pooh gets his head stuck in a pot of honey that he had attended to attract the Heffalump to… More
Trends in Data Breach Incidents, Part 1: Identity Theft Resource Center (ITRC) Reports Breaches Up 47% in 2008, Hackers Only Responsible for 13.9% of All Incidents
On January 2, 2009, the Identity Theft Resource Center (ITRC) released its report(.pdf) on data breaches in the United States in 2008 (you can read the Washington Post’s primer on the ITRC’s findings here). The raw numbers are headline grabbing — 656 data breaches in 2008, a 47% increase from 2007. The sharp increase in numbers from 2007 to 2008 could be a result of an increase in data breach incidents, and most of the reporting on the ITRC’s report take this view, but it could also be due to increased media interest, new mandatory reporting laws, and a… More
On January 6, 2009, Senator Dianne Feinstein (D-Cal.) introduced two bills related to data breaches and protection of social security numbers. Bill S. 139, entitled the "Data Breach Notification Act," would require any federal agency or business entity to notify an individual of a security breach involving personal information “without unreasonable delay.” The proposed bill defines “reasonable delay” as including “any time necessary to determine the scope of the security breach, prevent further disclosures, and restore the reasonable integrity of the data systems and provide notice to law enforcement when required.” In addition to requiring notice to the affected individual(s), the bill requires that… More
High-profile Massachusetts businesses and industry groups have sent Massachusetts governor Deval Patrick a letter requesting that the governor reissue existing identity theft regulations and give battered businesses two additional years to develop information security programs.
Anyone mystified by what practices the FTC wants businesses to improve on or abandon in response to federal “Red Flags” regulations received some specific guidance in December, when the FTC released the report Security in Numbers – SSNs and ID Theft. For anyone subject to new federal and state identity theft regulations, the Report helps identify some specific steps they should consider implementing by May 1, 2009, the deadline for businesses to adopt compliant identity theft prevention programs.
ALERT: Massachusetts Gives Businesses Until May 1, 2009 to Adopt Comprehensive Information Security Programs To Comply With Recent State Identity Theft Regulations
On Friday, November 14, 2008, Massachusetts regulators announced that they will give affected businesses until May 1, 2009 to comply with new identity theft regulations. This move parallels the October announcement by the Federal Trade Commission that it is delaying enforcement of federal identity theft regulations until the same day.
ALERT: FTC Gives Businesses Until May 1, 2009 to Adopt Identity Theft Prevention Plans that Comply With Recent FTC “Red Flags” Regulations
On Wednesday, October 22, 2008, the Federal Trade Commission issued an Enforcement Policy Statement that it will delay some elements of enforcement of recent “Red Flags” regulations until May 1, 2009, instead of the original November 1, 2008 date. Citing uncertainty and confusion within many industries over whether they are covered by the new regulations, the FTC indicated that it will not seek to enforce the regulations on November 1, 2008, when all affected businesses were originally required to come into compliance.