Leveraging Knowledge to Manage Your Data Risks
The Office for Civil Rights (OCR) entered into two recent settlements with covered entities alleging that they failed to conduct security risk assessments. The settlements indicate that OCR will continue to aggressively regulate potential violations of the Health Insurance Portability and Accountability Act (HIPAA), particularly for failure to conduct risk assessments.
Deer Oaks
On July 7…
PIH Health, a health care entity located in California, suffered a data breach in June 2019 when 45 employee email accounts were compromised in a targeted phishing campaign. The accounts contained the protected health information (PHI) of 189,763 individuals, including their names, social security numbers, driver’s license numbers, diagnoses, lab tests, medications, treatment, claims, and…
We often cover consumer class action complaints against companies regarding the privacy and security of personal information. However, litigation can also arise from alleged breach of contract between two companies. This week, we will analyze a medical diagnostic testing laboratory’s April 2025 complaint against its managed services provider for its alleged failure to satisfy its…
The Office for Civil Rights (OCR) announced on April 10, 2025, that it has settled alleged HIPAA Security Rule violations with Northeast Radiology for $350,000.
The investigation followed a breach report by Northeast Radiology to OCR in March 2020 after unauthorized individuals accessed radiology images stored in PAC servers. Northeast Radiology notified 298,532 patients of…
Genetic testing company 23andMe has filed for Chapter 11 bankruptcy protection, and its CEO has resigned. It is seeking to sell “substantially all of its assets” through a reorganization plan that will have to be approved by a federal bankruptcy judge.
Mark Jensen, Chair and member of the Special Committee of the Board of…
At the close of 2024, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (the Proposed Rule) to amend the Security Rule regulations established for protecting electronic health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The updated…
The Office for Civil Rights of the Department of Health and Human Services (OCR) was busy negotiating and settling enforcement actions in November and early December. Since October 31, 2024, the OCR has settled five separate cases of alleged HIPAA violations. The settlements include resolution agreements and civil monetary penalties.
One of the settlements and…
The Office for Civil Rights of the Department of Health and Human Services (OCR) announced on September 26, 2024, that it had entered a settlement with Cascade Eye and Skin Centers (together, Cascade) for $250,000 following an investigation of a ransomware attack against them.
This is the fourth settlement against a victim of a ransomware…
The State of California, under the leadership of Governor Gavin Newsom, has taken the lead of its sister states in mobilizing resources to investigate the risks of the use of generative artificial intelligence (GenAI) tools and develop policies addressing them.
Following in the steps of Colorado, this week, the Governor signed into law an amendment…
Last year, the American Hospital Association (AHA) sued the U.S. Department of Health and Human Services (HHS) in the U.S. District Court of the Northern District of Texas, requesting that HHS be barred from enforcing a new rule adopted by the Office for Civil Rights entitled “Use of Online Tracking Technologies by HIPAA Covered Entities…
