Threat Actors are Finding New Ways to Commoditize Data

While all businesses continue to adjust to the remote work environment, it’s business as usual for cybercriminals. Although there are reports of phishing schemes tied to the COVID-19 pandemic, we are not really seeing different types of incidents or new tactics from the threat actors. Incident volume has increased slightly, but we are not seeing the surge that many expected as governments around the world instituted stay-at-home orders.

One recent trend in ransomware attacks is threat actors stealing data and threatening to publicize it to increase their leverage to extort money from the victims. If a business encounters one of these groups in a ransomware incident and has explored paying the ransom to unlock its files, we are now seeing threat actors support the demand by claiming they stole data and will make it public if the ransom is not paid. We are also seeing instances when an organization is able to recover without paying the ransom, but the threat actor reaches out and claims that it stole data, and demands a ransom to return or destroy the files. Often, short timelines will be attached to this threat, forcing an organization to quickly assess its credibility through forensics or by mining the threat actor for whatever information it will share. This has been widely reported, and even the FBI has issued a warning about ransomware groups utilizing this tactic. Gone are the days when data exfiltration in a ransomware event was rare. Hello, new normal. Continue Reading

Focus on Children’s Privacy Intensifies as Daily Life Moves Online

With physical schools closed indefinitely, classrooms have moved online, either introducing or significantly expanding children’s use of virtual education technology and highlighting certain privacy concerns. Responding to this evolving environment, on April 9 the Federal Trade Commission (FTC) issued COPPA Guidance for Ed Tech Companies and Schools during the Coronavirus to address some common compliance issues relevant to entities that process children’s personal information.

The FTC’s guidance covers a number of key issues, including the applicability of Children’s Online Privacy Protection Act (COPPA) requirements to ed tech vendors and that schools can consent on behalf of parents to the collection of student personal information. It also reiterates that ed tech vendors should have plain-language privacy notices that students, parents and educators can understand, and it sets forth a checklist of considerations for schools looking to engage ed tech vendors. Continue Reading

Due to the COVID-19 Pandemic, HHS Eases Restrictions on the Use and Disclosure of PHI by Business Associates

The COVID-19 public health emergency already has caused the U.S. Health and Human Services (HHS) Office for Civil Rights to announce various enforcement changes and waivers. On April 2, HHS issued another notification of enforcement discretion – this one relating to business associates. This latest notification allows business associates to use and disclose protected health information (PHI) for public health and health oversight purposes even if not expressly permitted by their business associate agreement. Continue Reading

CARES Act Significantly Revises Part 2 Rules to Better Align with HIPAA

On March 27, 2020, President Trump signed the Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”) into law. While the focus of the CARES Act has been on direct financial aid to Americans, the Act also contains a number of material revisions to the Federal privacy provisions that govern the confidentiality of substance-use disorder (“SUD”) records.

SUD information is protected by the federal confidentiality law found at 42 U.S.C. §290dd-2, which is the statutory authority for the SUD confidentiality regulations under 42 CFR Part 2, commonly referred to as “Part 2.” The CARES Act revises certain provisions of the SUD statute to better conform with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), thereby minimizing the burden on providers of trying to comply with two somewhat conflicting regulatory schemes. Most notably, Section 3321 of the CARES Act provides that once prior written consent of the patient has been obtained, SUD records “may be used or disclosed by a covered entity, business associate, or a [Part 2] program for purposes of treatment, payment, and health care operations as permitted by the HIPAA regulations.”

This eliminates the prior requirement that a SUD patient’s consent must be obtained prior to each disclosure that identifies who can receive the information by name (rather than general category of recipients as permitted under HIPAA), which has been viewed as an obstacle to information sharing, and enables providers to re-disclose the records as permissible under HIPAA.

The CARES Act also expands privacy protections for SUD patients by:

  • Limiting use and disclosure of SUD information against the patient in judicial or administrative proceedings.
  • Prohibiting anyone who receives SUD records from using such information to discriminate against individuals, including with regards to access to treatment for health care, hiring or firing decisions, sale, rental, or continued rental of housing and access to government services and benefits.
  • Adopting several provisions from HIPAA, including the rules regarding breach notification, provision of Notice of Privacy Practices in plain language to SUD patients and granting SUD patients the right to an accounting of disclosures.

In addition, the civil and criminal penalties for violating Part 2 were increased under the CARES Act to be consistent with HIPAA. Violators now face a maximum fine of $50,000 and 1 year in prison for wrongful disclosure of SUD information with heighted penalties if false pretenses were involved or the information was used for personal gain or to cause malicious harm.

The CARES Act requires the Department of Health and Human Services (“HHS”) to revise the Part 2 regulations within 12 months to comply with the CARES Act. Finally, the CARES Act requires HHS to issue guidance regarding the sharing of patients’ PHI during the COVID-19 public health emergency within 180 days, but does not specify what this guidance must contain. As the HHS Office of Civil Rights (“OCR”) already issued a bulletin entitled “HIPAA Privacy and Coronavirus” in February of 2020, an 1135 waiver of certain HIPAA requirements for hospitals, as well as a Notice of Enforcement Discretion relaxing certain HIPAA requirements related to telehealth during this national emergency, it is unclear if the existing OCR guidance will satisfy the CARES Act requirements or if additional guidance will be forthcoming.

Continue Reading

Healthcare Providers Remain Targets for Ransomware Attacks in the Midst of COVID-19 Pandemic

Although it was widely reported that several ransomware threat actor groups have pledged to not target healthcare providers until the COVID-19 pandemic is over, BakerHostetler’s Digital Assets and Data Management Practice Group and Healthcare Privacy and Compliance team continue to see ransomware attacks launched against healthcare providers.

In order to combat the COVID-19 pandemic, healthcare providers have had to radically change their normal business processes, which could make them more vulnerable to ransomware attacks. Continue Reading

Additional 6-Month CCPA Extension Sought in Wake of COVID-19

On March 18, we filed a request to the California Attorney General, as part of the CCPA rulemaking process, seeking an additional six month delay in the enforcement of the CCPA to allow our clients time to better focus on business continuity and the safety of consumers and employees in response to the national COVID-19 state of emergency. CCPA enforcement is set to begin July 1, 2020, but the State of California has yet to even complete the rulemaking process for the implementing regulations.  The full filing is available here.

HHS Issues Two Important Bulletins Waiving HIPAA Sanctions During the COVID-19 National Emergency

The HHS Office for Civil Rights (OCR) issued two important bulletins this week regarding the novel coronavirus disease (COVID-19) outbreak. On Mar. 16, OCR issued a limited waiver of HIPAA sanctions and penalties for noncompliance with certain provisions of the HIPAA Privacy Rule, including the requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care and the requirement to distribute a Notice of Privacy Practices to patients. Currently, the waiver applies only to those hospitals located in the emergency area identified in the public health emergency declaration that have instituted a disaster protocol, and then only for 72 hours from the time at which the disaster protocol was implemented. It is unclear if OCR will extend the time period for this waiver given the widespread and potentially prolonged nature of the COVID-19 outbreak. The bulletin also reminds providers that affirmative reporting to the media or the public about any identifiable patient may not be done without the written authorization of the patient or the patient’s personal representative. A copy of the bulletin can be found here.


COVID-19 Cybersecurity Exposure

Risk scenarios and recommendations

History tells us that unscrupulous actors will exploit any crisis, and COVID-19 is no exception. Attackers wasted no time building coronavirus-themed phishing emails and malware-laden websites purporting to track the coronavirus’s spread across the globe. These opportunistic attacks were an expected variation on well-known themes that use fear to engineer an individual’s behavior. But unlike the typical crisis – a natural disaster or terrorist attack contained in time and space – the pandemic’s effects are global and protracted and stoke paranoia in ways that terrorist organizations only dream of.

While there are many ways to exploit a global pandemic, cyberattacks are an obvious and particularly combustible option. Cyberattacks can be deployed quickly, globally and with virtually no risk to the attacker. They can support any motive, from financial gain to espionage, sabotage and terrorism. And they can exploit new fractures in our already weak cyber defenses fueled by global distraction and fear, and an unprecedented level of remote work. Likewise, a distracted workforce coping with working in unfamiliar places is more likely to make mistakes when handling sensitive data. Continue Reading

FERPA Disclosures in Response to COVID-19

The United States Department of Education (ED) Student Privacy Policy Office (SPPO), on March 13, 2020, issued Frequently Asked Questions related to the serious novel coronavirus disease (COVID-19) that the world is now grappling with. This FAQ document mirrors in large part the same line of advice found in ED’s prior Joint Guidance with Health and Human Services related to student health and permitted disclosure (see our prior blog post on that guidance here), but the FAQ is targeted with specific questions that educational institutions and entities are facing in addressing and supporting their students and communities in light of the pandemic.

With K-12 schools and institutions of higher education at the forefront of community response to the pandemic, and playing a pivotal role not only in education but also in feeding students, providing facilities for the community, and other important facets of community life, schools, districts and institutions need to be able to respond to the pandemic while also ensuring that the provisions of the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. Section 1232g; 34 C.F.R. Part 99, relating to unauthorized disclosure of an education record are not implicated. Specifically, FERPA prohibits an educational agency or institution from disclosing personally identifiable information (PII) from a student’s education record without the prior written consent of a parent or non-minor student unless an exception applies. One exception is the “health or safety emergency,” which allows disclosure in an emergency to public health agencies, medical personnel, law enforcement officials or even parents if such disclosure is necessary to protect the health and safety of other students or individuals. There must be an actual emergency, not a future or unknown one. In areas where COVID-19 has been declared a public health emergency this requirement would arguably be met. However, ED notes that public health departments typically can have education records disclosed under this exception even in the absence of a formally declared health emergency. Continue Reading

New HHS Rules Give Patients ‘Unprecedented’ Digital Access to Their Own Health Data but May Put Privacy at Risk

On Monday, the U.S. Department of Health and Human Services (HHS) issued what it calls “transformative” rules that will govern how healthcare providers, insurers and technology vendors must design their systems to give patients safe and secure access to their health data. Issued by two different agencies within HHS – the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare and Medicaid Services (CMS) – the rules implement the interoperability and patient access provisions of the bipartisan 21st Century Cures Act.

The new rules are aimed at putting patients in charge of their own health records and allowing them to share their sensitive health data with others, including smartphone application developers. But with these new rules come growing concerns over the risk they pose to patient privacy.

Interoperability and Patient Access

The ONC final rule requires that health providers, developers of certified health information technology (IT) products, health information exchanges and other health information networks give patients secure, electronic access to their health records at no cost, and it creates new measures to prevent information-blocking practices and anti-competitive behavior. In addition, the rule establishes new provisions to ensure that providers have the ability to communicate about health IT usability, user experience, interoperability and security, including (with limitations) the ability to document issues using screenshots and video, which ONC says are critical forms of visual communication. Continue Reading