DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

No violation of HIPAA in Monroeville, feds say

Posted on March 25, 2014 by Dissent

Kyle Lawson reports on a case involving Monroeville, Pennsylvania that I’ve followed on this blog over the past few years. As I had noted, although I thought there was a privacy violation, it wasn’t clear to me whether the services involved were HIPAA-covered entities. It turns out  they weren’t. Lawson reports:

[HHS’s] investigation found that neither the dispatch center, police department or fire department are health care providers, health plans or health care clearinghouses, and therefore are not covered by the Health Insurance Portability and Accountability Act, according to the letter.

Read more on TribLive.  The Pittsburgh Post-Gazette also covers the finding and has uploaded a copy of HHS’s closing letter.

In this case, then, it’s accurate to say that there’s no violation of HIPAA  only because HIPAA doesn’t apply. I do not think it is appropriate to say that there has been no violation of privacy, and investigators hired by the town did find concerns in that regard. In other words, I disagree with Municipal Manager Timothy Little, who is quoted in the Post-Gazette as saying:

“I think it lifts a cloud off of Monroeville, and specifically the public safety aspect of the municipality, that there wasn’t any wrongdoing with respect to [health privacy law] violations,” Mr. Little said.

To the contrary, I think there was substantial wrong-doing in terms of privacy, and HHS even noted problems they observed, but HIPAA doesn’t cover the agencies.

Keep in mind that because they are not a HIPAA-covered entity, the involved agencies were also not subject to HIPAA’s Security Rule. In this case there were reported security as well as privacy concerns about access not being appropriately restricted to those who had a need to know. There were also security concerns about access to the police database.

So this is one of those situations where people’s information can really be at risk of improper exposure or breaches and yet there is no clearly applicable federal law that covers the situation.  There is however, a Pennsylvania law restricting access to the criminal history database the police use, and an audit by the state’s attorney general had found Monroeville in violation.

From the getgo, this case’s serious privacy and data security concerns became ensnarled in local politics. And that’s a shame, because had the concerns raised been professionally and promptly addressed, the drama and job demotions and firings likely could have been avoided and the privacy and security of Monroeville’s residents would have been better protected sooner.

Category: Uncategorized

Post navigation

← Hospital's missing data drive contains info on child patients
Potential 7 Million Credit Card Details Leaked by “Anonymous Ukraine” (update2) →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.