Glad to see this announcement from HHS/OCR: Since the passage of the Health Information Technology for Economic and Clinical Health Act of 2009 and the subsequent implementation of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule, OCR has prioritized investigation of reported breaches of protected health information (PHI). The root causes of…
Category: Commentaries and Analyses
Audit of Pittsford Central School District by NYS Comptroller
An audit concerning: Security of Personal, Private and Sensitive Information (PPSI) on Mobile Computing Devices and Extracurricular Cash Records and Collections Report of Examination Period Covered: July 1, 2014 – January 21, 2016 Of relevance to this site: The Pittsford Central School District (District) is governed by the Board of Education (Board), which is composed…
Plaintiffs Cannot Bring Data Breach Lawsuits Without Evidence That Information Will Be Used To Harm
Every time there’s a big breach that has consumers or patients outraged, I see rumblings in the Comments section of posts about class-action lawsuits. An article by John Devine, Edward McAndrew, and Gregory Szewczy of Ballard Spahr about a recent opinion in District Court for the D.C. Circuit is a timely reminder of the uphill battle plaintiffs may…
California dentist notifies patients of backup drive stolen from car
Why are we still reading reports of devices with unencrypted patient information being stolen from providers’ unattended vehicles? This is the second report this month I’ve read like this. And while it’s one thing to inform patients that you believe the device was stolen for commercial value and not contents, does this letter go too far…
Athens Orthopedic Clinic incident response leaves patients in the dark and out of pocket for protection
On June 26, after learning that databases with patients’ protected health information had been put up for sale on the dark web, DataBreaches.net began investigating and trying to alert the victim entities so that they could take immediate steps to try to mitigate harm to patients. By that evening, I had sent an email to Athens Orthopedic…
Axing Boss Is Data Breach Response Last Resort
Jimmy Koo reports: Scapegoating the boss over a cybersecurity incident that compromises customer data or reveals unsavory internal communications usually isn’t the first option in a breach response. Data breaches may result in consumer class actions, organizational embarrassment, a drop in the price of a company’s stock and brand reputation damage, but top executives generally…