St. Joseph Health Settles with OCR for $2.14 Million

The Office for Civil Rights (OCR) has announced that it has entered into a settlement with St. Joseph Health, which operates hospitals and nursing homes in California, Texas and New Mexico, for $2.14 million for alleged HIPAA violations.

St. Joseph Health notified the OCR on February 14, 2012, of a data breach involving the protected health information of 31,800 patients when one of its servers included a file sharing application that used default settings and allowed access to the information through the internet in 2011 and 2012. According to the press release, the information was available through internet search engines during that time frame.

The files were pdf files that included the names, health status, diagnosis and demographic information of the patients.

The OCR noted that although St. Joseph Health hired contractors to assess risks and vulnerabilities of ePHI on its system, those assessments “did not result in an enterprise risk analysis.” According to the OCR, the security risk assessment was conducted in a “patchwork fashion and did not result in an enterprise-wide risk analysis.” Unfortunately, there is no further information on what the OCR means by this statement or what type of security risk assessment it deems sufficient.

In addition to the fine, St. Joseph also entered into a Corrective Action Plan with the OCR.

Connecticut Governor appoints State Cybersecurity Czar

Gov. Dannel P. Malloy recently appointed Democrat Arthur H. House the state’s first cybersecurity czar. House moves into the role after serving as the chairman of the Public Utilities Regulatory Authority for the past four years.

In that role, House has been involved in combating digital threats to the critical utilities of electricity, natural gas and water. “As technology expands into every segment of our lives and creates greater convenience and ease, it also brings a new set of challenges and risks, and that includes essential functions such as our public utility systems,” Malloy said. “This position of chief cybersecurity risk officer will serve as a leader for the state who will coordinate the work responsible for enhancing Connecticut’s cybersecurity posture, and safeguarding our cyber systems and critical infrastructure in an ever-evolving threat landscape.”

The appointment was prompted by increased computer hacking in the public and private sectors and is believed to be the first appointment at the state level. Connecticut continues to be a leader in combatting cyber-crime, including a cyber unit in the Attorney General’s Office, which also investigates data breaches.

NASA Announces Beyond Visual-Line-of-Sight UAS Test Flights

National Aeronautics and Space Administration (NASA) plans to fly unmanned aircraft systems (UAS; commonly known as drones) this month beyond visual line-of-sight of their operators to test planning, tracking and alerting capabilities of NASA’s UAS traffic management (UTM) research platform. Two of the drones will fly beyond visual line-of-sight, and the other three drones (if used) will fly in the same test airspace, but will be separated by altitude (and remain within line-of-sight of their operators). NASA seeks to test the UTM’s platform and its ability to track drone location. Before multiple commercial drones (and government drones for that matter) can start flying in the same areas –beyond a pilot’s view –procedures must be in place to safely manage the drone traffic, stay out of no-fly zones (or geo-fenced areas) and be alerted of severe weather patterns or unplanned events in the airspace that change the drones plans.

During these test flights this month, NASA hopes to demonstrate the UTM platform’s ability to connect real drone tracking systems to the research platform, provide alerts for approaching drones and manned aircrafts, as well as provide information about weather or other hazards. NASA will ensure that all necessary safety precautions are taken and every drone will be continuously monitored visually by observers, ensuring safe operation even when drones are beyond the line of sight of the operator.

The goal is to increase safety (and therefore capabilities) of drone flights beyond visual-line-of-sight, which would lead to changes in the current Federal Aviation Administration (FAA) regulations, which prohibit such flights. Once the first test is completed, NASA will offer these capabilities to all FAA test sites for further validation and assessment of the UTM platform. NASA plans to start testing tracking procedures for managing cooperative and uncooperative drones to ensure collective safety of manned and unmanned operations over moderately populated areas in January 2018; in 2019, NASA plans to conduct drone test flights involving higher-density urban areas for autonomous vehicles used for newsgathering and package delivery, and will offer large-scale contingency mitigation.

New Use for Drones on Australian Beaches

In Western Australia’s South West beaches surveillance drones will hit the skies to increase swimmer safety by spotting sharks in the water. This project will take place over a three-month period (from November to January) and will cost approximately $88,000. Surf Life Saving WA (a provider of educational and emergency rescue services) will have four small drones in place using high definition cameras to take live photos, which will in turn, be shown directly to security personnel to prevent any dangerous situation for swimmers. This will cut costs for the Australian Government and its shark mitigation strategy plan by replacing helicopters and patrols. However, the project will need to achieve measurable results to keep its funding; this may be difficult since the drones are going to have to face unique environmental factors in the beaches’ geography and varying weather conditions.

Australian Fisheries Minister, Joe Francis, said, “Drone technology has advanced significantly in recent years and it makes sense to test if it can be used effectively to make our beaches safer. The trial will assess whether this eye in the sky technology can add value to the beach surveillance currently provided by helicopter and beach patrols.”

This is yet another example of drones used to cut costs and increase safety. While this particular project is being conducted in Australia, if the results are favorable, we could see this type of beach drone surveillance in other parts of the world, including the United States, barring any privacy concerns which will surely pop up.

Privacy Tip #57 – Do Those Chip Credit Cards Really Protect Me from Fraud?

There are a half a billion chip cards in the market right now. They have been touted to improve security and reduce credit card fraud. But do they?

According to a new report, both Visa and MasterCard have reported that the chip cards (also known as EMV) are working. Visa reports that it has seen a 47% decline in fraud, and MasterCard has seen a 54% reduction.

Nonetheless, only about a third of U.S. companies have implemented the EMV technology. This number should increase now that the credit card companies are making merchants responsible for any swiping fraud because old technology is being used.

However, online fraud continues to be a problem. It is reported that card not-present fraud (CNP) rose almost 50% last year alone. What is CNP fraud? It is when a criminal gets ahold of your credit card number and can buy things online and the good are delivered electronically. The biggest items that are being purchased in CNP fraud are airline and other travel tickets, concert tickets and digital gift cards. These items are easy to sell.

Criminals are also able to obtain individuals’ personal information on the black market and open new credit cards in people’s names without them ever knowing.

They will continue to find ways to commit fraud. What can you do to protect yourself? Use your EMV card. Frequently check your credit card and debit card balances. Check your credit report to see if any credit cards have been opened without your knowledge. But the best pro-active strategy is to place a credit freeze on your account so no one can open an account in your name without your knowledge and authorization. You can contact any of the three credit bureaus to find out how to place a credit freeze on your account, and the pros and cons of doing so.

In the meantime, the EMV “chip” cards are indeed chipping away at fraud. Use them and encourage your merchants to implement the technology so the number of businesses accepting EMV cards grows quickly to protect all of us from credit card fraud.

Sixth Circuit: Substantial Risk of Harm and Mitigation Costs Sufficient to Confer Standing in Data Breach Case

On October 12, 2016, the U.S. Court of Appeals for the Sixth Circuit denied a petition for an en banc rehearing of its September 12 decision in Galaria, et al. v. Nationwide Mutual Insurance Company (Nos. 15-3386/3387). In that decision, a divided Sixth Circuit panel revived a suit against Nationwide arising from the 2012 theft by hackers of personal information of approximately 1.1 million individuals.

In Galaria, the plaintiffs brought claims alleging invasion of privacy, negligence, bailment, and statutory violations of the Fair Credit Reporting Act (FCRA) following the breach. The complaint alleged that the defendant failed to secure the plaintiffs’ data against a breach. A federal district court dismissed those claims, holding in part that the plaintiffs lacked Article III standing because they failed to allege a cognizable injury in fact. To establish standing under Article III of the U.S. Constitution, a plaintiff must suffer an injury in fact, fairly traceable to the defendant’s challenged conduct, that is likely to be redressed by a favorable judicial decision.

Continue Reading

U.S. Department of Education Issues Guidance on Student Medical Records

On September 14, 2016, the Department of Education (DOE) issued a “Dear Colleague Letter” to provide guidance on the application of the Family Educational Rights and Privacy Act (FERPA) to the disclosure of student medical records in the context of litigation.

FERPA generally prohibits a school from disclosing personally identifiable information from a student’s education records without consent, unless an exception applies. Education records are defined as records that: (1) directly relate to the student, and (2) are maintained by an educational agency or institution or by a party acting for the agency or institution. Medical records (including mental health counseling records) are generally considered to be included in the definition of education records.

Exceptions under which medical records may be disclosed without student consent under FERPA include:

A. School Officials with a Legitimate Educational Interest

FERPA allows school officials, including professors, administrators, and legal counsel, to access education records, including medical records, without consent if the school has determined that the official has a legitimate educational interest in the records. A school official has a legitimate educational interest if the official needs to review an educational record in order to fulfill his or her professional responsibility.

Under FERPA, attorneys representing institutions in legal proceedings generally function as school officials. However, institutions should not conclude that their attorneys have a legitimate educational interest in accessing those records, without a court order or the student’s written consent, unless the litigation at issue directly relates to the medical treatment itself or payment for that treatment. DOE analogizes this exception to the HIPAA Privacy Rule concerning litigation between a covered health care provider and a patient.

B. Disclosure to a Court without Court Order or Subpoena

FERPA regulations generally permit a school to disclose to a court education records that are relevant to its case against a student. DOE indicates, however, that this general rule should be “read in light of the special sensitivity of [medical or counseling records] and the importance of students being able to obtain timely on-campus medical treatment.” Similar to the exception for a legitimate educational interest, DOE analogizes this exception to the standard articulated in HIPAA guidance, and states that schools should use the litigation exception to disclose education records only if the lawsuit directly relates to medical treatment or payment for such treatment.

DOE also advises that if a student’s medical records are likely to be relevant to a reasonably anticipated, threatened, or pending lawsuit, an institution and its counsel may have a legal duty to place a “litigation hold” on the student’s medical records. DOE advises that an institution or its counsel should instruct the treatment provider to preserve the student’s medical records and, if necessary, electronically capture or take physical custody of those records.

C. Health or Safety Emergency

FERPA permits a school to disclose a student’s education records to appropriate parties if the student poses an “articulable and significant threat” to themselves or others. A school official should be able to explain their reasonable belief as to why the student met this standard. The education records, including medical records, can be disclosed to any person whose knowledge of the information from the records will assist in protecting the student or others. However, school officials must also take care to disclose only the information from education records that is necessary. DOE advises that in many cases providing the actual records is not necessary or critical when a counselor’s summary of the relevant and necessary information from those records is sufficient.

DOE notes that it has long encouraged institutions to implement a threat assessment program and that none of the guidance in this “Dear Colleague letter” diminishes the sharing of records and information allowed under FERPA to prevent or respond to violence on campus.

Transatlantic Data Transfer: An Update

The EU-US Privacy Shield, designed to protect EU citizens’ personal data when it is transferred to US organisations, has now been in place for a couple of months. How is it shaping up?

How we arrived at the Privacy Shield…

Under current EU data protection laws, as well as under the forthcoming General Data Protection Regulation (GDPR), personal data can be sent to entities based outside the EU only if one of the specified protections are in place. One protection mechanism is that the relevant territory guarantees EU residents a level of legal protection that is “essentially equivalent” to that guaranteed by the EU.

The previous EU-US regime (the “Safe Harbor”) was stopped in its tracks by a European court ruling that it was invalid. The court focused on concerns about systematic mass surveillance of private citizens on the part of US government authorities, as revealed by Edward Snowden.

The Privacy Shield agreement was intended to replace and overhaul the Safe Harbour regime for data transfers from the EU to the US.

Data security under the Privacy Shield

The Privacy Shield includes substantial additional protections over the Safe Harbor. Participating companies must:

  • provide detailed information to individuals about their data processing activities, including information about the type of data, purpose of processing, right of access and the choices available to the individual
  • set out the available remedies should a complaint arise
  • offer an independent recourse mechanism to investigate and “expeditiously resolve” individual complaints
  • limit personal data to that which is relevant for the purpose of the processing, reliable for its intended use, accurate, complete and current
  • allow data subjects to opt out if their personal data is to be disclosed to a third party or used for a materially different purpose
  • only allow onward transfers where (1) the transfer is for a limited and specified purpose; (2) it is carried out on the basis of a contract (or comparable arrangement); and (3) that contract must provide the same level of protection.

Take up

There has been some high-profile take-up of the new regime, with companies such as Microsoft, Google and Dropbox signing up. But there has been vocal opposition, particularly from individual activists, including Safe Harbor challenger Max Schrems and Edward Snowden.

EU Data Protection and Privacy regulators group WP29 previously raised concerns around the independence of the redress mechanisms available and also the continuing potential for indiscriminate data collection and surveillance. When the Privacy Shield comes up for its first annual review in the summer of 2017 WP29 will take a long, hard look at the arrangement.

Overall take-up has been cautious. A survey in August suggested that only 34 percent of companies intend to use the framework, others preferring to rely on other data-transfer mechanisms such as standard contractual clauses (IAPP report here).

However, standard contractual clauses (SCCs) are also under challenge through the Irish courts.

Standard Contractual Clauses under threat

The SCC protection for data transfer is being challenged on a similar basis to the Safe Harbor, with a court hearing expected next year. A summary issued by the Irish regulator, the DPC, explains the background to the case and gives a trial date of 7 February 2017. The DPC has several concerns about the SCC mechanism, particularly around the absence of an adequate legal remedy for aggrieved EU citizens whose data has been transferred.

The case has attracted international attention with applications to take part from ten organisations. The Irish court will allow the US Government, BSA Business Software Alliance, Digital Europe and EPIC to contribute to the case. A referral to the European court will probably follow.

The Privacy Shield and other mechanisms for cross-border data transfer are unlikely to see further significant changes this year but are likely to change again in 2017. In the UK, the Brexit vote does not alter the need to comply with EU-based legislation now.  It also seems likely that data protection laws in place at the time the UK formally leaves the EU (likely to include the GDPR) will be retained by the current government.

This article courtesy of guest blogger Edward Hadcock of Mills & Reeve LLP.

World Energy Council Issues New Report on Cyber Risk

Because cyber risk presents a “unique concern” in the energy sector, the World Energy Council has issued a new report entitled “The Road to Resilience: Managing Cyber risks,” to its industry leaders.

Referring to two cyber attacks that affected the nuclear industry in the past few years—an attack by “Slammer” in the U.S. in 2003, and a hacking in South Korea in 2014-2015, the report states that “[L]arge centralised infrastructures are especially at risk due to the potential ‘domino effect’ damage that an attack on a nuclear, coal, or oil plant could cause.”

The report outlines recommended actions that executives and stakeholders can take to improve the response to the growing threat of cyber attacks on the industry, particularly industrial control systems. It states “Attacks on ICSs could lead to loss of control of key equipment, with potential machinery breakdown, fire, explosion or injuries.”

Draft Cybersecurity Self-Assessment Tool Published

The National Institute of Standards and Technology (NIST) recently published a draft cybersecurity self-assessment tool entitled “The Baldrige Cybersecurity Excellence Builder,” which provides organizations with a tool to determine its security maturity level.

According to the guide, it will assist organizations to:

  • Determine cybersecurity-related activities that are important to business strategy and the delivery of critical services
  • Prioritize investments for managing cybersecurity risks
  • Assess the effectiveness and efficiency of using cybersecurity standards, guidelines and practices
  • Assess results of implementing security tools
  • Identify priorities for investments for improvement of enterprise wide security

The goal is to help organizations figure out where they are in the data security continuum, provide tools to help them determine where they should be in their security maturity, and assist with how to implement an action plan to get to where they need to be in protecting the organization’s data. It’s an important process to go through, a worthwhile read, and the comment period is open until December 15, 2016.