DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Should HHS fine entities who experience repeated avoidable security failures?

Posted on October 26, 2010 by Dissent

I’m working on a breach post for later today but started mulling over the question of whether HHS needs to start fining covered entities who have repeat breaches  where the entity did not seem to adequately harden their security after the first breach or to really learn from experience.

This is 2010.  The excuse “we  were  in the process of encrypting” or “now we’re going to encrypt” seems inadequate.  HIPAA went into effect in 1996.  Why are some of these easily avoidable breaches still occurring?   HHS has adopted an educative and corrective approach, but how many times do some entities need to be educated before the government starts  hitting them with fines in addition to the other costs of a breach?

Do you think that it would help if HHS started handing out fines to repeat offenders?  If so, what scenarios would you think should lead to fines?  I’d nominate  inadequately secured PHI on a device stolen off-premises as my first nomination.  As a close second, repeated theft of devices from hospital premises where the data at rest were not adequately protected.

Your thoughts?

No related posts.

Category: Health Data

Post navigation

← TX: Sensitive documents found in a dumpster
Will The ICO Make An Example Of Google? (I hope not) →

1 thought on “Should HHS fine entities who experience repeated avoidable security failures?”

  1. Anonymous says:
    October 27, 2010 at 4:56 am

    I used to work for a Mental Health agency in Maine. The idiot IT Manager used to state that as long as he thought the data security was “good enough” then the agency was HIPAA-compliant.

    They subsequently bought a new software package that was file-server based which means that any user had full access to the data files in the directory. The files themselves could be accessed (without any auditing) by right-clicking on the file itself and using Notepad read all the client data, for example.
    When I brought this to their attention, they just blew it off. I believe that they changed their backend database to PervasiveSQL (an SQL wrapper for bTrieve files). You could no longer use Notepad to access the data you had to use Wordpad.

    This vendor is now trying to become the preferred vendor in California.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked
  • Hunters International to provide free decryptors for all victims as they shut down (2)
  • SEC and SolarWinds Seek Settlement in Securities Fraud Case

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t
  • Oregon Amends Its Comprehensive Privacy Statute

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.