Health Information Privacy

Subscribe to Health Information Privacy

On January 1, 2022, Broward Health, which operates dozens of health care facilities in Broward County, Florida, notified over 1.3 million individuals that a threat actor gained access to and removed data from its system on October 15, 2021. The data exfiltrated and compromised included individuals’ names, addresses, dates of birth, driver’s license numbers, Social

One of the challenging things about HIPAA (Health Insurance Portability and Accountability Act) enforcement is the fact that both the Office for Civil Rights and State AGs have jurisdiction to assess fines and penalties for HIPAA violations. The old double whammy.

States enforce those rights sparingly, but New Jersey is getting itself on the map

A federal district court in Montana has confirmed that HIPAA precludes a private right of action for patients to claim an unauthorized access, use, or disclosure of protected health information.  Nonetheless, the court denied the defendant covered entity’s motion to dismiss the complaint, holding that the plaintiff could move forward with state-specific claims of invasion

The Office for Civil Rights (OCR) recently announced that it has entered into the 20th settlement under its Right of Access Initiative. The settlement with Children’s Hospital and Medical Center in Nebraska includes an $80,000 payment by the hospital for failing to provide a mother with timely access to her daughter’s medical records.

According

Eskenazi Health in Indianapolis has been diverting emergency department patients arriving by ambulance to other area hospitals since it shut down its network following a ransomware attack on August 4, 2021. The diversion is “out of an abundance of caution and to maintain the safety and integrity of our patient care” according to a hospital

A fertility clinic in California cannot escape a lawsuit brought by a patient after the clinic sent private information to the individual’s entire work team.

The clinic, Lane Fertility Institute for Education and Research (Lane), emailed a client regarding an embryo transfer procedure she had undergone the prior year, seeking information about her resulting pregnancy.

The Office of Civil Rights (OCR) of the U.S. Department of Health & Human Services recently issued its Summer 2021 Cybersecurity Newsletter, which focuses on controlling access to electronic personal health information (ePHI) and the HIPAA Security Rule standards. Citing to a recent report of security incidents and data breaches in the health care

On June 16, and then on July 6, 2021, Connecticut Governor Ned Lamont signed into law a pair of bills that together address privacy and cybersecurity in the state. Cybersecurity risks continue to pose a significant threat to businesses and the integrity of private information. Connecticut joins other states in revisiting its data breach reporting laws to strengthen reporting requirements, and offer protection to businesses that have been the subject of a breach despite implementing cybersecurity safeguards from certain damages in resulting litigation.

Public Act 21-59 “An Act Concerning Data Privacy Breaches” (PA 21-59) modifies Connecticut law addressing data privacy breaches to expand the types of information that are protected in the event of a breach, to shorten the timeframe for reporting a breach, to clarify applicability of the law to anyone who owns, licenses, or maintains computerized data that includes “personal information,” and to create an exception for entities that report breaches in accordance with HIPAA. Public Act 21-119 “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” (PA 21-119) correspondingly establishes statutory protection from punitive damages in a tort action alleging that inadequate cybersecurity controls resulted in a data breach against an entity covered by the law if the entity maintained a written cybersecurity program conforming to industry standards (as set forth in PA 21-119).

Both laws take effect October 1, 2021.
Continue Reading Connecticut Enacts Legislation to Incentivize Adoption of Cybersecurity Safeguards and Expand Breach Reporting Obligations

University Medical Center in Las Vegas announced that it recently became the victim of a ransomware attack by REvil, a well-known threat actor that has attacked many hospitals and health systems with the Sodinokibi malware variant.

It is being reported that during the attack, REvil was able to exfiltrate personal information that it then published