As we reported earlier, Florida lawmakers passed extensive revisions to its existing data breach notification law, SB 1524. On June 20, 2014, Florida’s Governor Rick Scott signed the bill into law, which becomes effective on July 1, 2014. Our earlier post provides more of a discussion about key provisions of the law. But here are a… Continue Reading
Since mid-2013, the Department of Health and Human Services has recovered more than $10 million from numerous entities in connection with alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”). However, during a recent American Bar Association conference, Jerome B. Meites, a chief regional civil rights counsel at the Department of Health and Human Services (“HHS”)… Continue Reading
An Office for Civil Rights (OCR) report issued this month reveals some interesting details about data breach activity under HIPAA, as well as some helpful reminders and recommendations for covered entities and business associates. Section 13402(i) of the HITECH Act requires the Secretary of Health and Human Services to submit a report to various Senate… Continue Reading
On the heels of recent nationwide data breaches of consumer personal information, the Florida State Senate has proposed SB 1524, which if adopted will become effective on July 1, 2014, to revamp and replace existing state data security law and, in particular, impose a statutory requirement to safeguard personal information, reporting a breach to the… Continue Reading
Skagit County, Washington, has agreed to settle potential violations of the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), according to an announcement by the Office for Civil Rights (OCR) on Friday. OCR reported that Skagit County, home to approximately 118,000 residents, agreed to a $215,000 monetary settlement and to comply… Continue Reading
The U.S. Commodity Futures Trading Commission (Commission) issued a Staff Advisory on best practices for financial institutions that must comply with Gramm-Leach-Bliley Act (GLBA) provisions on data security and customer privacy. GLBA was enacted to ensure that financial institutions respect the privacy of their customers and protect the security and confidentiality of nonpublic personal information. Specifically,… Continue Reading
After years of identity theft holding the top spot for crimes reported to the Federal Trade Commission, and following recent reports of massive data breaches, U.S. Attorney General Eric Holder urged Congress today to enact a national law setting a uniform standard for notifying individuals regarding breaches involving their personal information, according to a report by… Continue Reading
In honor of National Data Privacy Day, we provide the following “Top 14 for 2014.” While the list is by no means exhaustive, it does provide critical areas businesses will need to consider in 2014. Location Based Tracking. As the utilization of GPS enable devices becomes more and more prevalent, employers are often faced with… Continue Reading
North Dakota has amended its data breach notification law to include "medical information" and "health insurance information." See N.D. Century Code, Section 51-30-01. Amendments to the law also provide an exemption for HIPAA covered entities, business associates, or subcontractors so long as they are in compliance with breach notification requirements under title 45, Code of Federal Regulations,… Continue Reading
Today, the Centers for Medicare and Medicaid Services (CMS) requested an "emergency review" of its recently proposed rule that "[Federally-facilitated Exchanges or FFEs], non-Exchange entities associated with FFEs, and State Exchanges must report all privacy and security incidents and breaches to HHS within one hour of discovering the incident or breach." We reported on the proposed… Continue Reading
Texas amends its data breach notification statute and the law’s effects on persons out of state.
California Attorney General issues data breach report and announces enforcement priority to investigate breaches involving unencrypted personal information.
HIPAA data breach affecting 441 patients leads to investigation resulting in $50K in penalties due to alleged lapses in security compliance.
Another reported HIPAA breach results in $1.5 million dollar settlement between HIPAA covered entity and HHS’ Office of Civil Rights
HIPAA audit following breach reported to OCR results in findings of noncompliance, settlement payment of $1.7 million and a three-year corrective action plan.
Minn. AG accuses business associate of backdating a business associate agreement
Notice to Connecticut Attorney General now required following data breaches affecting state residents.
The Minneapolis Star Tribune reports that a laptop computer containing private information on about 14,000 patients of Fairview Health Services and 2,800 patients of North Memorial Medical Center was stolen from a locked car in the parking lot of a Minneapolis restaurant in July of 2011. The incident is just one more in a series… Continue Reading
In a novel approach to data breach notification requirements, Texas has amended its breach notification law (Business & Commerce Code, Section 521.053) to require notification to residents of not only Texas, but to residents of each of the 50 states. The amendment becomes effective September 1, 2012, and applies to “all persons who conduct business… Continue Reading
Illinois amends its breach notification law and adds a data disposal mandate.
Today the White House issued a Cybersecurity Legislative Proposal. The proposed legislation focuses on protecting the American people, the nation’s critical infrastructure, and the federal government’s computers and networks. While legislation of this nature would simplify the breach reporting process for businesses, and overall streamline cybersecurity laws, a number of legislative attempts to do this have previously failed. … Continue Reading
In distinct efforts to strengthen data security requirements, the California and Massachusetts legislatures recently passed bills affecting data breach notification requirements and data security notification, respectively. On April 14, 2011, the California senate approved S.B. 24, requiring California businesses and agencies to notify the state attorney general if more than 500 California residents are notified… Continue Reading
A recent criminal case involving a government employer harmed by a computer hacking incident affecting its personnel records may provide support for companies seeking to recover the costs they incur when taking appropriate steps to investigate these data incidents and mitigate harm when a breach is found to have occurred.
In a uniquely timed second showing of enforcement authority, the Department of Health and Human Services (HHS) announced on February 24, 2011 a one million dollar settlement with a Massachusetts hospital that allegedly breached patient data. This settlement announcement comes only days after HHS announced a 4.3 million dollar HIPAA Privacy Rule fine. The Massachusetts… Continue Reading