Dumpster Diving Leads to $100,000 Fine for Defunct Business Associate Due to Improper Disposal of Medical Records

On February 13, 2018, the HHS Office for Civil Rights (OCR) announced a $100,000 settlement with a court-appointed receiver representing Filefax, Inc. (Filefax) arising from the 2015 discovery of medical records that contained protected health information (PHI) of over two thousand individuals in a dumpster. Filefax, a now-defunct medical records moving and storage company located in Illinois, acted as a business associate under HIPAA.

OCR initiated an investigation in February, 2015, after a shredding and recycling facility submitted a complaint concerning medical records that had been discovered in a dumpster and delivered to the facility for recycling. OCR subsequently determined that Filefax impermissibly disclosed PHI of 2,150 individuals over a two week span in early 2015 by leaving PHI in an unlocked truck in Filefax’s parking lot, or by leaving PHI within medical records sitting outside of Filefax’s business for a third party to collect.

The settlement with OCR was entered into by a court-appointed receiver acting on behalf of Filefax, because Filefax ceased operations during OCR’s investigation and was dissolved in August, 2017. OCR nonetheless pursued this investigation and entered into the monetary settlement, which will be paid by the receiver from the proceeds of a prior sale of Filefax’s commercial property.

This settlement is a notable example of an egregious violation of HIPAA’s privacy and security standards, the discarding of medical records in a dumpster and/or transfer of such records to third parties without any assurances of confidentiality or accompanying safeguards. The settlement is also notable for OCR’s continued attention on HIPAA compliance by business associates and not just covered entities.

This settlement represents OCR’s second settlement in 2018, following a large settlement announced last week (see our analysis here), and the back-to-back settlement announcements may be indicative of an uptick in enforcement activity by OCR in 2018 after a quiet end to 2017.

New York’s Landmark Cybersecurity Regulation Compliance Deadlines Looming

On February 15, 2018—that is, today—banks, insurance companies and other financial services institutions and licensees regulated by the New York Department of Financial Services (DFS) are required to file their first certification of compliance with DFS’s far reaching cybersecurity regulation (23 NYCRR Part 500) (the “Regulation”).

The Regulation, which became effective on March 1, 2017, is touted as being the first cybersecurity regulation in the nation, requiring significant operational, technology and reporting changes in order for entities covered by the Regulation (Covered Entities) to comply. Covered Entities are required to electronically file a certification statement through the DFS cybersecurity portal confirming the company’s cybersecurity program met the Regulation’s requirements for the prior calendar year. The deadline is today. Have you filed?

For more information on the Regulation and additional upcoming deadlines, click here.

OCR Warns of Cyber Extortion and Provides Checklist

In its January newsletter, the Office for Civil Rights (OCR) focused on cyber extortion, which it stated has “risen steadily over the past couple of years and continue to be a major source of disruption for many organizations.” Since the health care industry has been the target of cyber extortion attacks, the OCR is specifically warning health care entities and has published a Checklist to help HIPAA covered entities and business associates respond to a cyber-attack.

The OCR commented in the newsletter that cyber criminals continue to create new versions of malicious software and attacks, so covered entities and business associates must be vigilant to recognize and mitigate the risk of an attacker accessing and stealing sensitive information. It provides “[E]xamples of activities organization should consider to reduce the change of being a victim of cyber extortion:

  • Implementing a robust risk analysis and risk management program that identifies and addresses cyber risks holistically, throughout the entire organization;
  • Implementing robust inventory and vulnerability identification processes to ensure accuracy and thoroughness of the risk analysis;
  • Training employees to better identify suspicious emails and other messaging technologies that could introduce malicious software into the organization;
  • Deploying proactive anti-malware solutions to identify and prevent malicious software intrusions;
  • Patching systems to fix known vulnerabilities that could be exploited by attackers or malicious software;
  • Hardening internal network defenses and limiting internal network access to deny or slow the lateral movement of an attacker and/or propagation of malicious software;
  • Implementing and testing robust contingency and disaster recovery plans to ensure the organization is capable and ready to recover from a cyber-attack;
  • Encrypting and backing up sensitive data;
  • Implementing robust audit logs and reviewing such logs regularly for suspicious activity; and
  • Remaining vigilant for new and emerging cyber threats and vulnerabilities (for example, by receiving US-CERT alerts and participating in information sharing organizations.”

DJI Software Now Includes Temporary No-Fly Zone for Olympics

Drone manufacturer, DJI, has updated its software in its drones to include a temporary no-fly zone around the Olympic Games in Pyeongchang, South Korea (and other South Korean cities). The parameters of the no-fly zone are based on four zones in Pyeongchang, Gangneung, Bongpyeong and Jeongseon in Gangwon Province. DJI made this decision to implement this no-fly zone to increase safety and security measures. The no-fly zone will be removed at the conclusion of the games later this month.

Adam Welsh, head of DJI’s Asia-Pacific public policy, said, “Safety is DJI’s top priority, and we’ve always taken proactive steps to educate our customers to operate within the law, and where appropriate, implement temporary no-fly zones during major events. We believe this feature will reduce the potential for drone operations that could inadvertently create safety or security concerns.”

More Passenger Drone Test Flights Hitting the Skies

We previously reported on the Y6S drone passenger test flights set for this year in London; now, two more companies have started testing passenger drones, too. Ehang 184 passenger drones, created by the Chinese company Beijing Yi-Hang Creation Science & Technology Co., Ltd., and Vahana, Airbus’ passenger drone project, both hit the skies.

Ehang 184 had a successful public test flight –that is, after more than 1,000 test flights prior to the public test. Those prior tests included stress testing variables that could lead to potential failure (e.g. battery redundancy, carrying 500 lbs., and inclement weather conditions) so that they could ensure that passengers will be safe during flights. Ehang 184 has a 23-minute flight time and a 10-mile max distance.

Vahana only left the ground for 53 seconds and reached an altitude of only 16 feet, but the test marked Airbus’ entrance into the passenger drone world. This drone has a fixed-wing and multi-rotor frame and is expected to conduct forward flight tests very soon.

While both of these companies are a little behind Intel, which boasts an 18-rotor air taxi prototype called the Volocopter with a flight time of 30 minutes and a maximum range of 17 miles with a maiden flight in Dubai last year, Airbus and Ehang are certainly part of the race for full-scale drone taxi service and that race is far from over.

Privacy Tip #126 – Employee Training and Education Continues to be “Best” Cyberdefense

It is a myth that employees hate training and education. I have seen it with my own eyes. It is very exciting to watch an audience visibly cover their mouths when real life stories are told about cyber-attacks and phishing incidents that employees’ conduct cause because they are working too fast, not paying attention to detail and just plain don’t know much about the risks of technology.

I am constantly amazed the number of people of all ages who have no idea about the risks posed by the use of technology, and how they can put themselves and their companies at risk by one click.

Arming employees with tools to protect your digital perimeter gives them a sense of purpose and pride. In my experience, employees do not want to be the one who clicks on the link that introduces malware or ransomware into the company system. I have never seen a victim who has enabled an infiltrater into the system feel anything except horror. Employees in general really do want to do a good job for their company and do not want to harm it.

That’s why employee training and education in data privacy and security continues to be so important as a mitigating factor to the risk of cyber intrusions. According to a survey of cybersecurity professionals in financial firms, in their opinion, employee education and training on data privacy and security is the best defense against cyber-attacks—over network security breach prevention, or securing the cloud. This is because “[P]rotective measures on a firm’s computer system can still fail if a worker click on a link or downloads an email attachment carrying malicious code.” So true.

Employees don’t understand the risks until you show them and tell them real stories that they can relate to, learn from and not replicate. Face to face training works wonders for increasing the culture around data privacy and security and empowers employees to assist companies in promoting practices to protect data. Try it—you will be surprised at how engaged your employees can be when they are part of fixing the problem.

Ciox Health, LLC Initiates Lawsuit against the Department of Health and Human Services Over Medical Records Request Fees under HIPAA and HITECH

On January 8, 2018, Ciox Health, LLC (Ciox) filed a complaint against the Department of Health and Human Services (HHS) and then-acting Secretary Eric D. Hargan, alleging that the Department’s rules and guidance, under HIPAA and HITECH, “impose[] tremendous financial and regulatory burdens on health care providers and threatens to upend the medical-records industry that services them.” The complaint claims that the Department’s 2013 omnibus rule and 2016 guidance violated the Administrative Procedures Act, and it asks District Judge Mehta of the United States District Court for the District of Columbia to declare those acts unlawful and further enjoin HHS from further enforcing either of them.

In particular, Ciox’s lawsuit targets the fee that can be charged to third-party entities requesting a copy of an individual’s medical records. Although the complaint acknowledges an individual’s right, under HIPAA and 45 C.F.R. § 164.524(c), to get his or her own records for little or no fee, the lawsuit vehemently opposes establishing similar cost-regulated access for third parties—like an attorney or insurance company—requesting an individual’s records. Ciox argues that the 2013 rule, and later the 2016 guidance, from HHS arbitrarily imposes the fee schedule intended for individuals seeking their own records on third parties seeking the patient’s records, which lacks any authority—in Ciox’s view—under HIPAA or HITECH.

As set forth in the 2016 guidance, if an individual requests his or her own medical records but indicates that they should be provided to a third party, like his or her attorney, the medical-records keeper, like Ciox, may only charge the rate that would be applicable if that individual was seeking the records for him or herself—a “reasonable, cost-based fee.” Ciox maintains that the ability to charge higher rates for records requests from third-parties significantly subsidized and allowed for it to provide records to individuals at little to no fee. However, Ciox fears that adherence to the 2016 guidance will dissipate the revenue that previously allowed it to accommodate patient, or provider, records requests at no charge.

It remains to be seen what procedural and substantive roadblocks may lay ahead for Ciox’s claim against the Department. However, this action is an example of how private, for-profit, entities must grapple with federal and state agency regulations while still attempting to remain profitable. While this lawsuit may attempt to strike a balance between the needs of the government to provide patients access to their medical records and the free market’s rate setting, we’ll have to wait and see how it unfolds.

Nationwide, State Legislators Push Blockchain-friendly Legislation

As previously reported, state legislatures throughout the country continue to propose legislation designed to facilitate the use of blockchain-based technology by businesses within their states. In recent weeks, legislatures in Florida and Nebraska have each proposed laws streamlining the transaction of business electronically and through use of distributed ledgers on blockchain applications. In Arizona, the state senate just passed a bill allowing residents to pay income taxes through a cryptocurrency such as Bitcoin.

Given this flurry of legislative activity, one would reasonably assume that widespread implementation of blockchain technology had already occurred. In fact, as recognized by the January 31, 2018 Final Report from the Illinois General Assembly Blockchain and Distributed Ledger Task Force, Bitcoin remains the only successful, scalable implementation of blockchain and distributed ledger technology to date.

While recognizing that most blockchain applications remain in early development stages, the Illinois task force report expresses significant optimism for governmental applications of blockchain, concluding that “it is clear that distributed ledgers can begin a transition to a smarter, cheaper and safer way to administer government.” In particular, the task force envisions blockchain as a means for government to transition to being a verifier, rather than a custodian, of residents’ identity information – a shift that would allow for highly-secure methods for interacting with the government, promote the use of paperless records, increase data accuracy, and provide increased cybersecurity protection. The report considers various governmental applications for blockchain technology, including social benefits distribution, public transportation, waste management, and disaster recovery grant distributions.

Given the nascent state of the technology, the task force generally steered clear of recommending broad legislative action to regulate blockchain technology. Instead, the final report focuses specifically on overhauling archaic property law standards to clear the way for use of blockchain and other digital applications to modernize the property recording process.

World-Record Drone Show at Olympic Ceremony

As with any Olympics Opening Ceremony, the pageantry is of global scale, but this year, in Pyeongchang, South Korea, Intel took it to a whole new level–a record-setting 1,218 drones hit the skies for a mechanical phenomenon. There’s never been anything like it.

Intel’s Shooting Star software platform enables an army of one foot-long, eight ounce, plastic and foam quadcopters to fly in sync along an animator’s pre-determined path. General Manager of Intel’s drone group, Anil Nanduri, said, “It’s in essence technology meeting art.”

However, while the drone light show aired during the Opening Ceremony, the actual footage was shot back in December due to the fact that there were going to be too many spectators standing in the area where the live drone show was supposed to take place, which the Olympic organizing committee considered to be a safety issue. Pyeongchang is a cold and windy city and the risk was too high.

Of course, the pre-recording of this show did not take away from the awe created by these drones. The Olympic-themed animations, including a snowboarder and the iconic interlocking rings, were created by careful coding and the four billion color combinations enabled by its onboard LEDs, resulting in quite the spectacle. Once the animations were in place, each drone operated independently, communicating with a central computer rather than with each other. The central computer also decided which drone played which role based on battery level and GPS strength of each drone in the flock. The drones can only fly for approximately 20 minutes due to the limitation of their lithium-ion batteries, which was another challenge in the cold climate.

Eventually Intel hopes to graduate its drone light show fleet to more compelling operations like search and rescue. However, utilizing these drones for that purpose would require some regulatory changes or advancement so that is not likely in the immediate future. For now, the Shooting Star drones will continue to wow the world with their spectacular light shows, especially now that they have participated in the world’s largest drone light show ever.

Cisco Warns of VPN Bug

Cisco is warning customers using its Adaptive Security Appliance (ASA) software about a VPN bug that could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code” and “allow an attacker to take full control of the system.”

Because the bug, known as DVE-2018-0101 is easy to use and has a big impact, it has been given a Common Vulnerability Score System score of 10 out of 10.

For you security types, go to Cisco’s advisory to get the technical details, although as of yesterday, the first fix may not have been sufficient.

For those of you who are not security types, get your security types to give you an update on whether this bug impacts your organization and how your organization is mitigating its effect.