Tag archives: data protection

South Dakota and Colorado strengthen data breach protections

Last week, South Dakota moved closer to implementing a data breach notification law, while Colorado legislators introduced a new bill requiring “reasonable security procedures,” imposing data disposal rules and shortening the time frame in which to alert authorities regarding a breach.  South Dakota and Colorado are the latest states taking steps in cybersecurity lawmaking in … Continue reading

Your money or your PHI: New guidance on ransomware

On June 12, 2016, the HHS Office of Civil Rights (OCR) released guidance, entitled “FACT SHEET: Ransomware and HIPAA,” in response to the rising number of ransomware attacks perpetrated against healthcare entities. The guidance addresses Health Insurance Portability and Accountability Act (HIPAA) issues that may arise when medical records containing Protected Health Information (PHI) are compromised … Continue reading

Medical technology initiatives announced in Health Minister’s budget speech

The use of technology in the health sector is on the rise.  The intersection of these two industries leads to interesting legal questions relating to digital risk, including big data analytics, data security and privacy. In his budget speech on 10 May 2016, Minister Aaron Motsoaledi discussed the following interesting medical technology initiatives being undertaken … Continue reading

FDA warns of potential link between antimalware and medical device failure

On February 8, 2016, the U.S. Food and Drug Administration (FDA) issued a Product Problem Report concerning the following device: Merge Hemo Programmable Diagnostic Computer, manufactured by Merge Healthcare. The Merge Hemo device monitors, measures and records physiological data from patients undergoing cardiac catheterization procedures and transfers this data to a monitoring station that runs … Continue reading

FDA issues Data Integrity Guidance under CGMP

Increasing concerns about data integrity in the pharmaceutical industry have prompted the U.S. Food and Drug Administration (“FDA”) to release Draft Guidance addressing the issue as it relates to current good manufacturing practices (cGMP) for pharmaceutical companies. The Draft Guidance – titled Data Integrity and Compliance with CGMP, Guidance for Industry – is framed a … Continue reading

FTC Guidance for developers of mobile health apps

In the fall of 2015, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) released an online resource to assist mobile health application developers in determining whether they need to comply with the Health Insurance Portability and Accountability Act (“HIPAA”). This week, the Federal Trade Commission (“FTC”)  announced a new web-based tool … Continue reading

Ransomware incident response – prevention, readiness and strategy

Last week, the Hollywood Presbyterian Medical Center was able to successfully negotiate the release of a collection of system resources and data files that had been encrypted and held hostage by ransomware attackers. Ransomware is a peculiar type of malware that is not designed or intended to steal personal or confidential information. Rather, ransomware is … Continue reading

FDA builds on postmarket cybersecurity measures for medical devices

On January 15, 2016, the U.S. Food and Drug Administration (“FDA”) released draft guidance entitled, “Postmarket Management of Cybersecurity in Medical Devices,” outlining recommendations to medical device manufacturers for managing postmarket cybersecurity vulnerabilities for marketed medical devices.  The FDA stresses that an effective cybersecurity  risk management program should address potential cybersecurity risks throughout the product’s … Continue reading

The University of Washington Medicine settles alleged HIPAA breach for US$ 750,000

The University of Washington Medicine (“UWM”) has agreed to settle charges that it violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule for US$ 750,000, following a breach report first submitted by UWM on November 27, 2013. In addition to settlement, UWM has entered into a Resolution Agreement with the United … Continue reading

Anthem breach may trigger legal obligations for organizations that use Anthem to provide or support employee health insurance plans

Norton Rose Fulbright’s Data Privacy co-chairs authored a blog post that reported on the recent Anthem breach and the consequential cybersecurity risks for its customers. See Anthem breach posts significant cybersecurity risks for Anthem’s customers; may trigger legal obligations, Data Protection Report, February 8, 2015. The data breach, which affected about 80 million current and former … Continue reading

HHS reports detail HIPAA breaches and compliance

On June 11, 2014, the US Department of Health and Human Services (“HHS”) issued two reports to Congress addressing Health Information Accountability and Portability Act of 1996 (“HIPAA”) compliance activities for calendar years 2011 and 2012.  The first report, relating to breaches of unsecured HIPAA-protected health information, describes the types and numbers of breaches reported … Continue reading

Two New York hospitals agree to pay $4.8M in HIPAA fines

On May 7th, two New York hospitals agreed to pay the Department of Health and Human Services (“HHS”) $4.8 million dollars to settle claims that the hospitals had failed to secure patients’ electronic protected health information, in violation of the Health Insurance Portability and Accountability Act (“HIPAA”). Specifically, Columbia University Medical Center paid $1.5 million … Continue reading

Two HIPAA settlement agreements illustrate need for encryption

On April 22, 2014, the US Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) announced that it had reached settlement agreements with two organizations alleged to have violated the Health Information Portability and Accountability Act of 1996 (“HIPAA”) in conjunction with the theft of unencrypted computers. HHS conducted a review of … Continue reading

Privacy – Mandatory breach notification coming to Australia

With many Australian organisations still coming to grips with recent changes to their privacy laws, legislation to mandate notification of privacy breaches is back on the agenda.  Amongst other aspects, the recent changes introduced significant fines and increased the scope for liability if personal information is exported.  This has forced organisations to review their privacy … Continue reading

Government’s Fraud and Abuse Program nets US$4.3Bn in FY 2013

In a report released on  February 26th, the federal government stated that its Heath Care Fraud and Abuse Control Program (“HCFAC”), established under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), recovered $4.3 billion during FY 2013. This amount includes more than $2.6 billion from healthcare fraud settlements and judgments and is the … Continue reading

Congressional hearings indicate additional security flaws with healthcare website

During a US House of Representatives Science Committee hearing last week, cybersecurity researchers described that the Affordable Care Act’s healthcare website, HealthCare.gov, is still susceptible to security issues, which could put patients’ sensitive health information at risk. David Kennedy, president and CEO of information security firm TrustedSec, LLC is one of the individuals who testified … Continue reading