Archives: HIPAA/HITECH

Originally posted in Mintz Levin’s Health Law & Policy Matters Blog

Written by Jordan Cohen

In yet another data breach affecting millions of individuals, UCLA Health System (“UCLA”) reported on Friday – July 17, 2015 – that hackers had accessed portions of its health network that contained personal information, including names, addresses, dates of birth, social security numbers, medical record numbers, Medicare or health plan ID numbers, and some medical information (including medical conditions, medications, procedures, and test results). Affected individuals include UCLA’s patients as well as providers that sought privileges at the health system.

As night follows day, by the following Tuesday – July 21, 2015 – UCLA became a defendant in a class action lawsuit after plaintiff Michael Allen filed the action in California federal court. The complaint alleges a number of violations related to the breach, including violation of California’s Confidential Medical Information Act. Continue Reading Data Breach = Class Action Suit. Again.

It’s Monday! Once again, data breaches and hacks are front and center, so here are three stories you should know about to start your week.

1. The Site that Promises “Discreet Encounters” Hacked — Karma?

If you have not heard the provocative ad campaign launched by a site called AshleyMadison, it may surprise you to know that a self-described site dedicated to “infidelity and married dating” has over 37 million members. Then again, maybe not. In any event, the site that bluntly declares “Life is short. Have an affair.” has apparently been hacked, according to Krebs on Security. A group calling itself “The Impact Team” claims to have gained access to the databases of Avid Life Media (ALM), the company running AshleyMadison. The booty The Impact Team allegedly possesses includes payment and personal information of the nearly 37 million members of AshleyMadison — most of whom presumably would desperately want to remain anonymous — as well as internal business information and network and technology mapping of ALM.

The Impact Team’s demand is aimed straight at ALM’s business and demands that either ALM take AshleyMadison and its other site Established Men (“Connecting young beautiful women with interesting men”) offline, or the data dump will be made public. “Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the hackers continued. “Too bad for ALM, you promised secrecy but didn’t deliver … And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.” According to ALM, they are working with law enforcement to track and shut down the hackers.

Until then, there are a lot of nervous cheaters out there today …..

Mashable

Wired

2. Another High Profile Healthcare Data Breach

UCLA Health System reports that a criminal hack attack could have accessed the health information of as many as 4.5 million patients. According to the public statement and notices made by the provider, an intruder apparently gained access to its computer system and activity was tracked to a part of the network where unencrypted patient information was stored. Although UCLA Health does not have any information that leads it to believe that such information was stolen, because the records were not encrypted, patients were notified out of the ubiquitous “abundance of caution.” Suspicious activity was apparently discovered by the health system back in October 2014 but the access was not discovered until May 2015 as part of the ongoing investigation. The Los Angeles Times has published an FAQ regarding the hack.

The takeaway: If encryption of information “in transit” is a prophylactic against theft, then encryption of sensitive records “at rest” is an insurance policy — it is less expensive than providing notice and credit monitoring and certainly more protective of your company’s reputation.

3. The FCC Issues Long-Awaited Autodialer Order

The Federal Communication Commission has released its long-awaited “omnibus” Declaratory Ruling and Order clarifying certain provisions of the Telephone Consumer Protection Act of 1981 (“TCPA”). In the Order, the FCC responded to 21 petitions by a number of companies and trade associations seeing relief or clarification regarding requirements of the TCPA, particularly with respect to so-called “autodialers.” Mintz Levin’s Communications group has published a client alert analyzing the provisions of the Order. Read it here.

Register now for our June Wednesday Webinar. This webinar, the sixth in our Privacy series, will address risk assessment best practices and data breach readiness. A risk assessment is the foundational step in the development of a comprehensive privacy and security program for your company. It is also a regulatory requirement under HIPAA and some state laws. Join us for a roundtable discussion with a group of privacy and security professionals, moderated by Mintz Levin’s Cynthia Larose, on risk assessment best practices and data breach readiness.

You can’t manage the risk if you do not know what it is — a risk assessment is the first step towards effective — and proactive — risk management.

Registration is open here. Hope you will join us!

The New York State Department of Financial Services (the “Department”) recently released a “Report on Cyber Security in the Insurance Sector” (the “Report”). The Report was released on February 8, 2015, just four days after Anthem first reported the breach of its database estimated to contain as many as 80 million customer records. While the Report does not directly address the Anthem breach (the Department addressed Anthem’s breach in a separate alert), its findings provide a detailed look at the current cyber security landscape in which the Anthem breach occurred.

The Report analyzes survey data collected from 43 insurance entities that collectively hold a staggering $3.2 trillion of combined assets. Of these 43 entities, 21 are health insurance providers, 12 are property and casualty insurance providers, and 10 are life insurance providers. The Report’s questions address six main topics: (1) the insurer’s information security framework; (2) the use and frequency of penetration testing and results; (3) the budget and costs associated with cyber security; (4) corporate governance around cyber security; (5) the frequency, nature, cost of, and response to cyber security breaches; and (6) the company’s future plans on cyber security. In an effort to obtain a broader understanding of the context of these cyber security programs within the insurers’ overall risk management strategy, the Report also analyzes the statutorily required enterprise risk management (“ERM”) reports that certain insurers filed with the Department.

To read more on the Report, head over to our sister blog, Mintz Levin’s Health Law & Policy Matters.

Registration is open for the next installment in the Mintz Levin Privacy & Security Group Wednesday Webinar series —

This webinar, scheduled for Wednesday, February 25, will focus on privacy in the workplace. Our workplace is everywhere these days, which makes employment and privacy compliance even more challenging. Jen Rubin and Gauri Punjabi will discuss developments in the workplace privacy field, including statutory developments, mobile device regulation, social media’s impact on workplace privacy, recruiting and hiring, and some practical advice to keep your workplace policies in compliance with rapid legal developments.

Save the date and register online here!

Continue Reading Register for our next Wednesday Webinar — February 25

By now (unless you have been under a snow drift), you have likely heard about the apparent intrusion into a database at the nation’s largest health insurer, Anthem, Inc. Rather than reiterate the facts as currently known (see Anthem’s dedicated website for updates), we’ll look at the fallout and what’s next. Continue Reading The Anthem Data Breach: The Fallout and What’s Next

Blizzards can affect even “virtual” events — tomorrow’s “How to Survive a HIPAA Audit” webinar has been rescheduled to February 4th. You can still register here.

Good Monday – The East Coast prepares for Apocalypse (Sn)ow.

In the meantime, here are three privacy-related tidbits for your day.

Privacy Concerns Cause Scale Back of Release of HealthCare.gov Data

We spend a fair amount of time warning about third party vendors and the risk that such vendors can pose to sensitive data. Just ask Target. Last week, the Associated Press revealed that the healthcare insurance exchange, HealthCare.gov, was connecting with third party analytics sites and others and operating much like any commercial website — except that it is not. The AP reported over the weekend that the Obama Administration has “reversed itself” and scaled back the release of (or access to) consumer data — including anonymized data. According to the AP’s Saturday follow-up, an analysis of the Federal exchange showed that the number of third party companies with connections embedded in the site, thus giving them access to consumer data, “dropped from 50 to 30.”

The Hill — The Centers for Medicare and Medicaid Services will encrypt additional data when customers use the Window Shopping feature on HealthCare.gov.

New York Times — Is the data usage “industry standard” and much ado about SOP?

CNN Money

Continue Reading Privacy Monday – January 26, 2015

Celebrate Data Privacy Day! On Wednesday January 28^th, Mintz Levin’s Dianne Bourque, will be presenting a webinar on how to survive a HIPAA audit.

With the New Year in full swing, the HHS Office of Civil Rights (“OCR”) is resuming its random audit program to assess compliance with HIPAA privacy, security and breach notification rules. While Phase I of the OCR audit program involved on-site visits, OCR will conduct Phase II audits by performing desk review of documentation. Findings during a Phase II audit can lead to enforcement and failure to comply can lead to the imposition of civil monetary penalties.

During this webinar, Dianne will discuss lessons learned from Phase I of the audit program and how best to incorporate those lessons into Phase II preparations. She will also discuss how to identify and eliminate compliance gaps, in case you are chosen for an audit.

Phase II audits can happen to covered entities and business associates alike.

Learn more about how you should be preparing and register for this webinar by clicking here.

The First Rule of How to Survive a HIPAA Audit: Be Prepared

2015 is bringing along with it the start of the HHS Office for Civil Rights random audit program to assess compliance with the HIPAA privacy, security and breach notification rules. It is anticipated that 300-400 business associates will be the subject of a desk audit and an undisclosed number of lucky business associates and covered entities will be chosen for intensive, on-site audits. Remember, if your business provides services to a healthcare entity covered by HIPAA, you are likely a business associate.

So, here’s the question: are you audit-ready?

In a free webinar, Mintz Levin’s Dianne Bourque will walk you through how to prepare now in the event that you are one of the chosen.

Save the date: Wednesday, January 28, 2015 1:00 PM ET/10:00 AM PT

Registration information will follow!