Subscribe: HIPAA Blog
http://hipaablog.blogspot.com/atom.xml
Added By: Feedage Forager Feedage Grade B rated
Language: English
Tags:
big  breach  breaches  case  data breach  data  envelope  health  hipaa  information  medical  memorial hermann  patient  ransomware 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: HIPAA Blog

HIPAA Blog



A discussion of medical privacy issues buried in political arcana



Updated: 2017-10-17T06:20:22.927-05:00

 



0 Comments

2017-10-12T12:04:29.123-05:00

Cloud-Based Blood Testing Information Breached: An Amazon cloud data repository for blood testing data managed by Patient Home Monitoring was not configured correctly, and a tech security company came across it.  300,000 PDFs accounting for about 150,000 people.  Oops. Using the cloud is OK, but only if you do it right.  Be careful . . . .



0 Comments

2017-09-27T12:45:43.322-05:00

Don't forget to vote for me for best "niche" legal blog.  You can go vote here. 



0 Comments

2017-09-27T12:36:40.522-05:00

I'm not surprised, actually: This is a frightening headline: 73 Percent of Medical Professionals Share Passwords for EHR Access.  If you're a medical resident, you used the attending's login information with the attending's consent.   So, it happens.  A lot.  But not a lot of bad comes out of it, since most (maybe virtually all) medical professionals do the right thing: access only what you



0 Comments

2017-09-26T14:26:12.168-05:00

Nichey? Or Special? Some of my blog readers nominated me for the Best Legal Blog Contest in the "Niche and Specialty" Category.  If you feel so inclined, you can go vote here. 



0 Comments

2017-09-18T11:47:06.858-05:00

PeaceHealth Data Breach: another "employees behaving badly" breach.  Over about 5-6 years, the employee accessed about 2000 records he/she had no need to access.  No apparent social security skimming, so not likely to be ID theft.  Reading between the lines, that probably means your garden variety snooping.  Bad but not horrible.  However, the big question is how it took almost 6 years to notice



0 Comments

2017-09-06T11:38:18.481-05:00

Nurses behaving badly.  I guess "Mr. Big" died.  This is mildly humorous, but somehow I think the reaction would be outrage if the victim were female instead of male. H/T Ron Holtsford.



0 Comments

2017-08-31T12:19:34.520-05:00

More Window Envelope issues: now it's CVS with a problem letting PHI leak out envelope windows.



0 Comments

2017-08-29T14:57:06.942-05:00

Aetna HIV data breach: Well, that was fast.  Those class action lawyers can outrun an ambulance.



0 Comments

2017-08-25T14:05:04.704-05:00

The Trouble with Window Envelopes: It's nice to use envelopes where the address of the recipient is only printed on the page inserted into the envelope, but is visible through a window in the outer envelope.  It saves costs, as well as reduces the possibility of a mismatch between the information in the insert and the information on the envelope (i.e., the wrong letter gets inserted into the



0 Comments

2017-08-23T18:17:52.990-05:00

Cybersecurity Class Action Update: One interesting aspect of data breaches (whether HIPAA-related or not) is the potential for lawsuits from affected parties.  Most times, injured individuals can't show monetary damages from a HIPAA breach, and that particularly true in non-HIPAA breaches such as the Target or Home Depot data breaches, where any credit card fraud was covered by the credit card



0 Comments

2017-08-21T08:35:30.690-05:00

Hospitals are the Number One Target for Hackers: at least for ransomware.



0 Comments

2017-08-14T10:24:44.520-05:00

Women's Health Care (PA): A large Philadelphia-area ob/gyn practice has notified 300,000 patients of a potential data breach.  Not much news on what happened, but it was apparently a hack that penetrated the group's computer system; they don't know for sure if information was actually viewed or extracted, but the information subject to potential breach did include social security numbers (bur



0 Comments

2017-07-26T14:07:11.338-05:00

Wall of Shame: OCR is updating its large data breach reporting website.



0 Comments

2017-07-20T10:36:13.648-05:00

Peachtree Neurological (Atlanta): Peachtree Neurological was hit with ransomware recently.  Fortunately, (i) they were able to restore their systems without paying the ransom, and (ii) there was no evidence that the ransomware exfiltrated any data, thus likely giving them a good reason to determine that the ransomware incident did not constitute a reportable breach (yes, OCR, I'm talking to you)



0 Comments

2017-07-20T10:25:07.995-05:00

Petya: More on the ransomware virus that disproportionately hit healthcare entities.  



0 Comments

2017-07-13T12:29:05.080-05:00

University of Iowa: Seems like a pretty minor breach, but some names, admission dates, and medical records were available online.  



0 Comments

2017-07-12T18:16:38.486-05:00

Employee Snooping Draws Criminal Charges (St. Charles Health System, Oregon): A nursing assistant looked at about 2,500 patients records; no identity theft or fraud, apparently just idle curiosity.  However, she's being charged with misdemeanor computer crimes.  Sounds about right -- nice to make a point of how she's dealt with, but not punishing her unnecessarily harshly.



0 Comments

2017-06-30T10:03:45.372-05:00

Petya Cyberattack: A rural West Virginia hospital is one of the headline victims of the most recent ransomware iteration, known as Petya (which follows closely on the heels of WannaCry, which had a built-in escape hatch that prevented it from causing too much damage).  How do you protect yourself: Don't pick up the virus.  Easier said than done, but you can go a long way just through education



0 Comments

2017-06-26T13:22:07.828-05:00

Anthem Breach: Remember the 2015 Anthem breach?  The one with up to 80 million individuals' information compromised?  The one where we think the Chinese were involved, and they got the IT folks to give up their credentials and got sysadmin privileges, so encryption wouldn't have even mattered?  Yeah, that one. Well, Anthem has agreed to settle the lawsuit for $115 million.  Of course, that's a



0 Comments

2017-06-14T14:24:01.069-05:00

Wall of Shame: Apparently OCR is considering some changes to the website listing of all large breaches, based on concerns expressed by a congressman (who also happens to be a doctor) that the listing is too punitive to entities that did no wrong but had to report anyway.



0 Comments

2017-06-14T11:36:56.712-05:00

St. Luke's-Roosevelt's Faxing Problem: An NYC hospital has been fined $387,000 for two misdirected faxes.  That's a big fine.  Why? Three reasons: One, all fines are big these days.  OCR still feels it needs to make an impression, and if you've done wrong and get caught, you're going to pay in a big way.  Two, the PHI that was disclosed, and whom it was disclosed to, were pretty egregious: it



0 Comments

2017-06-12T07:32:48.493-05:00

Hospital Cybersecurity in Critical Condition: So says a report by HHS' Health Care Industry Cybersecurity Task Force.  Not particularly surprising.



0 Comments

2017-05-30T11:57:28.565-05:00

Molina, AZ Health Dept Breaches: Molina Healthcare, a big player on the insurance exchanges established by the ACA, has reacted to word from Brian Krebs, cybersecurity expert, that their patient portal has some problems. Additionally, the Arizona Department of Health Services has reported a possible breach due to some lost mail. 



0 Comments

2017-05-15T12:04:19.142-05:00

Memorial Hermann: Memorial Hermann in Houston had a patient who used a fake ID to get services; the staff called the cops, who arrested the patient.  Apparently, the patient was an illegal immigrant (undocumented alien, if you wish, but being an undocumented alien is against the law, hence the word "illegal").  If I recall correctly, Memorial Hermann got hammered in the press for "reporting"



0 Comments

2017-05-01T12:14:22.707-05:00

Connecticut Case on Patient-Physician Confidentiality: Interesting case, but probably not specifically HIPAA-relevant.  HIPAA allows disclosure of PHI under non-judicial subpoenas, as long as "reasonable assurances" are received.  It's unclear whether they were in this case, but it's also unclear if there's any HIPAA component to the case at all at this point, given that this is the second trip