House Bill Would Allow Employers to Require and Access Genetic Testing Results

House bill HR 1313, introduced by Representative Virginia Foxx (R-N.C.), proposes to allow companies to require employees to undergo genetic testing, then allow employers to see the results, and impose financial penalties on any employees who request to opt out of the requirement.

The bill, which was before the House Committee on Education and the Workforce, was supported by all 22 Republicans and opposed by all 17 Democrats on the Committee.

Those in support of the bill state that the legislation would give employers the ability to offer wellness plans and promote a healthy workforce and lower health care costs.

Critics say the bill would eviscerate the Genetic Information Non-Discrimination Act (GINA) and the Americans with Disabilities Act (ADA) which specifically prohibit employers from asking for, accessing or using genetic information for certain actions that are considered discriminatory.

We will be watching this bill closely.

Air Force Security Clearance Files Compromised on Unsecured Backup Drive

Security researchers have discovered that an unsecured backup drive has compromised thousands of U.S. Air Force documents, including personnel files and sensitive forms filled out by senior and high-ranking officials. These files were openly accessible because they were located on a backup drive connected to the internet wasn’t password protected.

The compromised files include the names, ranks, addresses, and Social Security numbers of over 4,000 Air Force officers. Other files included the security clearances of hundreds of Air Force officers, including top secret clearance.

Another exposed file included completed applications for national security clearances, which include highly sensitive information that could be used by foreign enemies and spies.

Cardiology Group Hard Drive Stolen

Denton Heart Group, located throughout Dallas, has notified 21,665 patients that their protected health information has been compromised as a result of the theft of a hard drive from a locked closet.

The hard drive that was in the closet contained the group’s backup data from the practice’s electronic health system—which included apparently of all of their patients’ information over the span of 8 years.

The stolen data included patients’ demographic data, which may have included name, address, date of birth, driver’s license numbers, Social Security numbers, insurance information and policy numbers, physician names and diagnoses, conditions, lab results, and medications from 2009-2016.

Lessons learned? Reconsider data destruction practices so PHI is not kept longer than is legally required, and data security practices that include not keeping back up tapes of your entire EMR in a locked closet on the premises.

Home Depot Settles with Financial Institutions

A federal judge has preliminarily approved a proposed settlement of $25 million between Home Depot and financial institutions that issued payment cards that were affected by the Home Depot data breach in 2014. This proposed settlement amount is in addition to the $140 million settlement with other payment card issuers such as American Express and Discover through card brand recovery processes.

The proposed class that is the subject matter of the settlement includes approximately 20-30 percent of the financial institutions that issued credit and debit cards to Home Depot consumers, including 50 financial institutions from 44 states, 16 state credit union associations and the Credit Union National Association. This is the second time a retailer has agreed to a settlement outside the card recovery process-the first was Target’s settlement of financial institutions’ claims in the amount of $19.1 million.

UAS, A Growing Part of the Oil and Gas Industry

As the use of unmanned aerial systems (UAS or as they are more commonly called, drones) continues to rapidly increase as technology continues to develop, more and more industries will utilize UAS in their day-to-day operations, including the oil and gas industry. Initially, UAS were mainly used in the oil and gas industry for conducting inspections, but now, UAS are becoming part of the fabric of the industry. UAS are now used for a variety of tasks from monitoring pipelines to providing assistance during oil spills. UAS are more efficient than previously used techniques and can also offer an element of safety by removing people from potentially dangerous missions.

When the oil and gas industry conducts maritime missions in the water, UAS are used for surveying and inspections including structural surveys, pipeline inspections, bottom debris surveys and sub-sea facility inspections. Aerial missions in the oil and gas industry using UAS are also becoming more common. UAS are being used to conduct flyovers in oilfields of Alaska and monitor oil and gas production in New Mexico. UAS can even be used to detect oil and gas leaks which may lead to less catastrophic events involving the oil and gas industry, and save the environment from the hazardous effects of oil and gas spills.

While UAS currently hold a valuable position in the oil and gas industry, it is likely that UAS will have an even bigger place going forward.

Wendy’s Executives and Board File Motion to Dismiss

We previously reported that Wendy’s was hit with a putative class action shareholders’ derivative suit in December following its data breach in 2016. [view related post]. Late last week, the executives and Board of Wendy’s filed a Motion to Dismiss the case saying that the allegations in the Complaint were pure speculation, and that the Plaintiff failed to allege that the Board acted with gross negligence or reckless disregard of their duties or that they failed to monitor Wendy’s data security measures or disregarded security vulnerabilities.

The Motion to Dismiss further alleged that the Plaintiff failed to allege a viable duty of loyalty claim, and further failed to request that the Board investigate potential wrongdoing before filing the Complaint.

Finally, the Board stated that the allegation of bad faith was not viable since the alleged harm was caused by hackers.

Privacy Tip #78 – Cybersecurity Aids for Small Businesses

I frequently get complaints from small businesses that they don’t have the resources or resilience to properly address cybersecurity and that it is overwhelming to them.

Well, it is. We frequently tell businesses that they must be prepared as they might not think they are targets, but they are. But what happened to the relevance of the concept of “according to the size and scope of the entity?”

On March 10, 2016, the House Small Business Committee issued new cybersecurity aids for small businesses following a hearing that emphasized the vulnerabilities of small businesses.

The statistics are quite alarming: almost 60 percent of small companies go out of business in the wake of a hacking incident and 71 percent of all cyber assaults happen in businesses with less than 100 employees.

The guide is split into three parts. The first relates to data breach response, and basically refers businesses to the Federal Trade Commission (FTC) guidance on the topic.

The second is targeted to small vendors and internet of things products and outlines measures to protect themselves and their customers.

Another section outlines five things small companies can do to protect personal information. They include:

  • Taking stock—map and know where personal information is and when it is on Web-connected computers
  • Scale Down—only keep the information the business needs
  • Lock It—how to protect the information
  • Pitch It—how to properly dispose of personal information when it is no longer needed
  • Plan Ahead—how to develop a security incident response plan.

Basic, but sound measures that small businesses can take to protect themselves and get the overwhelming process started so it doesn’t seem so difficult. It’s worth a read.

Medical Device Malware Medjack.3 Poses Threat to Hospitals

Medjack is a form of malware that was specifically developed to attack medical devices, such as heart monitors, CT and MRI machines, insulin pumps and PAC systems.

Medjack has been in existence since 2015, and Medjack.2 came on the scene in the summer of 2016. Medjack.2 was able to bypass security controls and use cybersecurity tools to install backdoors and move within a healthcare system without notice.

Security researchers at TrapX have now discovered a third version of Medjack, dubbed Medjack.3, which hackers are using an old malware spreader to attack medical devices that are connected to older operating systems.

The conclusion is that any medical device that is connected to an old unpatched operating system is vulnerable to Medjack.3 and will accept the malware without detection. These systems include Windows XP and Windows 2003, 2008, and 2012. TrapX is warning healthcare providers that are using older operating systems that Medjack.3 may already have infected the networks and therefore, any medical devices connected to them.

Health care providers may wish to determine whether Medjack.3 is affecting their networks, and therefore, any medical devices connected to them.

Yahoo Breaches Cost Shareholders $350 Million From Lowered Purchase Price, CEO Forfeits $14 Million in Compensation

Yahoo’s troubles for failing to timely disclose security breaches provides rare insight into quantifying the financial and other costs to a company’s shareholders and leadership when a security breach occurs and is mishandled.

In 2014, more than a billion Yahoo accounts were hacked. Then in 2015 and 2016, more than 500,000 Yahoo user accounts were hacked by the same attacker. In all cases, hackers accessed user emails and sensitive information. However, it is alleged that Yahoo failed to thoroughly investigate the breaches. Yahoo also failed to disclose the breaches until late 2016, when it was in talks to sell the company’s core assets to Verizon.

Yahoo’s executive team denied having knowledge of the breaches prior to the disclosure. However, on March 1, 2017, Yahoo disclosed its independent investigation results and stated that Yahoo’s IT staff had “contemporaneous knowledge” of the 2014, 2015, and 2016 incidents. While finding there was no intent to suppress the breaches, the investigation concluded Yahoo’s IT team and legal staff did not properly comprehend or investigate them.

The SEC was examining whether the breaches were hidden from Yahoo customers and shareholders, but it is not clear whether anything will come of this investigation. Yahoo shareholders demanded that the company claw back a portion of CEO’s Marissa Mayer’s compensation, claiming she had to have known but covered up the breaches to avoid derailing a sale of the struggling company.

Ultimately, in late February 2017, Verizon agreed to move ahead with its purchase, but renegotiated the purchase price down by $350 million to a new price of $4.48 billion. This week, it was also disclosed that senior executives managing Yahoo at the time of the breaches would face consequences. Yahoo’s legal counsel was forced out. CEO Mayer said she voluntarily gave up her 2016 annual cash bonus and 2017 stock award, which together are worth about $14 million.

West Virginia University Medicine University Healthcare Patients Victims of Identity Theft

West Virginia University Medicine University Healthcare (WVUM) has confirmed that it is sending notification letters to over 7,400 of its patients seen at Berkeley Medical Center as a result of an unauthorized access to their information. It further confirmed that 113 of its patients have become the victims of identity theft as a result of the theft of patient records by an employee of Berkeley Medical Center (Berkeley).

The Berkeley employee removed patient information from the premises of WVUM through writing information on a pad. The FBI identified the link through investigating another matter. The employee was authorized to access the patient records, but then used the information for criminal purposes. She was fired and is being prosecuted.

Berkeley is providing credit monitoring services to the affected patients.

LexBlog