Recent OCR Newsletter Highlights Growing Cyber Extortion Threat for Healthcare Organizations

The OCR’s January 2018 newsletter details specific types of cyber extortion that healthcare organizations are currently encountering, including ransomware, denial of service attacks, distributed denial of service attacks and theft of protected health information (PHI). Each type of attack poses unique challenges that may affect an organization in different ways. However, all cyber extortion disrupts a healthcare organization’s day-to-day operations on some level and, in some cases, its ability to care for its patients. The OCR identified the four most frequent cyber extortion trends as follows:

Continue Reading

Looking Back: The Federal Trade Commission Issues Annual Data Privacy Report for 2017

On Jan. 18, 2018, the Federal Trade Commission (FTC) published its Annual Privacy and Data Security Update. The update is helpful to businesses in that it recaps the efforts and areas of involvement the FTC has targeted in the past year as well as guides data protection strategies for 2018. The report provides a detailed review of the FTC’s areas of enforcement and international privacy protection updates, as well as the FTC’s domestic educational and cyber initiatives in 2017.

Continue Reading

SAMHSA Updates Privacy Regulations to Reflect Advancements in Healthcare

On Jan. 3, 2018, the Substance Abuse and Mental Health Services Administration (SAMHSA) issued its final rule regarding the Confidentiality of Substance Use Disorder Patient Records Part 2. These changes become effective Feb. 2, 2018.

As background, the Confidentiality of Substance Use Discover Patient Records Part 2 protects patient records maintained in connection with any activity related to substance use disorder education, treatment, rehabilitation, research, prevention or training. 42 C.F.R. Part 2. It applies to all programs that receive federal assistance and are designated as “part 2” programs, as well as to “lawful holders,” which are individuals and entities who lawfully receive information protected by the Confidentiality of Substance Use Disorder Patient Records Part 2. In an effort to maintain privacy protections for individuals seeking treatment for substance abuse disorders while providing greater flexibility reflective of the advances and integration in healthcare, the final rule address two elements: (1) abbreviated disclosure notices, and (2) who can use disclosure patient information and when.

Continue Reading

Clock Ticking, European Commission Launches GDPR Implementation Guidance Website

With only four months remaining until the EU General Data Protection Regulation takes effect on May 25, 2018, the European Commission has launched a new website offering guidance on requirements and implementation targeted at an array of stakeholders including Member State governments, businesses, data subjects, and other entities whose operations or data processing activities will bring them into the GDPR’s orbit.

Continue Reading

Aetna Agrees to Pay $17 Million and Implement Best-Practices Policy to Settle Claims of HIV-related Privacy Violations

Last week, Aetna agreed to resolve class action claims of privacy violations related to the disclosure of thousands of members’ HIV status. The agreement will require the insurance giant to pay over $17 million into a settlement fund, the majority of which will be distributed to members of the affected class and to develop and implement a “best practices” policy for the use of members’ protected health information (PHI), to bring an end to a class-action lawsuit filed in August 2016 by pseudonymous plaintiff Andrew Beckett (a nod to Tom Hanks’ lead character in 1993’s Philadelphia), which alleged two distinct disclosures of member PHI in one of the largest data breaches involving HIV-related privacy.

The first alleged violation was that Aetna improperly disclosed members’ HIV status to legal counsel, a settlement administrator and a mailing vendor in connection with lawsuits from 2014 and 2015; the second was that Aetna exposed members’ HIV-related information, including their medications, by mailing notification letters to members in envelopes with large, clear windows that exposed the underlying information to anyone who came into contact with the letters. Ironically, both disclosures stemmed from earlier litigation and a settlement involving claims that Aetna engaged in a discriminatory policy by requiring members to obtain HIV-related medications through mail-order pharmacies, which affected members claimed denied them the right to obtain in-person advice from a pharmacist and created a heightened risk of exposing their HIV status.

Continue Reading

A New Tax Season, but the Same W-2 Spear Phishing Scam

According to the IRS, the IRS saw the number of businesses, public schools, universities, tribal governments and nonprofits victimized by W-2 scams increase to 200 in 2017 from 50 in 2016. Those 200 victims translated into several hundred thousand employees whose sensitive data was stolen. In some cases, the criminals requested both the W-2 information and a wire transfer. Once the scammers obtain copies of W-2s, they can move quickly to file fraudulent tax returns that could mirror the actual income received by employees – making the fraud more difficult to detect. Continue Reading

Toying With Children’s Data: Lessons From the FTC’s First Connected Toys Settlement Action

Every year, especially around the holidays, more and more products that connect to the internet hit the market. For adults, connected home devices that act like personal domestic assistants have become increasingly popular. Children have been adding connected toys, some of which have the intelligence and programming to become a child’s best friend, to their holiday gift lists. Although the holidays have passed, connected toys are still finding themselves on lists, such as birthday lists, but more importantly, on the investigation lists of the Federal Trade Commission (FTC) and its Canadian counterpart. On Jan. 8, 2018, the FTC – in cooperation with the Office of the Privacy Commissioner of Canada (OPC), which issued its own report finding violations of Canadian law – settled its first-ever connected toy privacy case with Hong Kong-based VTech Electronics, Ltd., (VTech), resulting in a $650,000 penalty. This case is also notable because it illustrates the effectiveness of the application of the U.S. SAFE WEB ACT, which facilitates FTC cooperation with other nations’ data protection authorities (DPAs), and indicates that the multi-DPA task force known as the Global Privacy Network (which includes the FTC and the OPC) can be effective in helping address international consumer privacy harms. In sum, the case arises out of a December 2015 data security breach that compromised the personal data of approximately 6 million children and 5 million adults worldwide. Both the OPC and the FTC concluded that the incident arose out of VTech’s failure to reasonably protect the data.

Continue Reading

Recent Trends, Future Predictions, and Effective Risk Assessments

Risk assessments are a fundamental part of any organization’s risk management process. But many organizations still do not incorporate true risk assessments into their information-security planning, even though doing so makes good business sense and is required by many standards and regulatory frameworks (the HIPAA Security Rule, PCI-DSS, and the NY Department of Financial Services Cybersecurity Requirements all require risk assessments, to name just a few). If you’re not incorporating a true risk assessment into your security program, 2018 is a good year to start. A properly completed risk assessment will help your organization understand and mitigate its most critical risk scenarios, and will prepare your organization to respond favorably to regulator inquiries during an audit or after a security incident at a time when regulatory scrutiny is likely to increase. Continue Reading

The IRS Succeeds in Compelling Crypto Exchange to Disclose User Information

As the price of bitcoin leaps and lurches toward new highs, it seems fitting that the legal regime surrounding it and other virtual currencies is similarly unpredictable. With bitcoin edging its way into mainstream finance, and Coinbase, one of the world’s largest exchanges of bitcoin and other cryptocurrencies, currently holding the top spot on Apple’s free apps chart, U.S. regulators have begun to grapple with how to bring cryptocurrencies and those who use them into compliance with existing and new laws. Though some agencies, like the Securities and Exchange Commission, have chosen a soft entry into regulation by first issuing proactive guidance, others, including the Internal Revenue Service (IRS), have opted to go directly into enforcement actions. A recent decision by the U.S. District Court for the Northern District of California on these actions has brought issues of cryptocurrency account holders’ privacy, anonymity and tax liability onto center stage. Continue Reading

Coming Full Circle: FTC Recovers BIAS Regulation Jurisdiction Following FCC Vote

In a widely publicized decision, the Federal Communication Commission (FCC) voted on Dec. 14, 2017, to repeal the tenets of the Protecting and Promoting the Open Internet Order, or the Open Internet Order, of 2015. See Protecting and Promoting the Open Internet, Report and Order on Remand, 30 FCC Rcd. 5601 (2015). While many have heard of the political debate surrounding the anticipated overturn of the Open Internet Order, commonly referred to as net neutrality rules, many businesses and data privacy experts should pay attention to the privacy regulatory implications this move creates. Most important, this order establishes Federal Trade Commission (FTC) jurisdiction over data privacy and security regulation for broadband internet access service (BIAS) providers, restoring parity between the treatment of BIAS providers and so-called edge networks (e.g. search engines and social media networks) that existed under FTC jurisdiction. Continue Reading