Joseph Lazzarotti of Jackson Lewis highlights an important note in recent OCR guidance: What is a covered entity’s obligation under the Breach Notification Rule if it transmits an individual’s PHI to a third party designated by the individual in an access request, and the entity discovers the information was breached in transit? If a covered…
Category: Commentaries and Analyses
Federal Times obtained and analyzed 26,381 security incidents reported by HHS components over a 30-month period
Kudos to Federal Times, who obtained a tremendous amount of data from HHS about security incidents involving their component systems. Aaron Boyd reports on their analysis of data, which was obtained through a Freedom of Information request. The analyses look at types of attacks by components of HHS. Here’s some of their analysis and findings: The records…
You’re on File: Inside Story on China’s Database of Americans
Joshua Phillip reports: An insider in China has revealed to the Epoch Times that he helped build a database that is now being used to handle Americans’ personal information stolen in cyberattacks. The FBI revealed on June 4, 2015, that a cyberattack, allegedly from China, stole personal information on close to 21.5 million U.S. federal employees…
uKnowKids updates its breach report and answers a question I posed
There’s an update to uKnowKids’ breach disclosure, here. They assert that their analysis shows only one IP address – presumably researcher Chris Vickery’s – downloaded any data from their misconfigured database. They do not name the provider responsible for security the database. According to their statement, the misconfigured instance of the database occurred on December…
FTC Says Listen Up When Vulnerability Reports Come In
James Denvil and Paul Otto of Hogan Lovells write: The FTC wants companies to listen. More precisely, the FTC wants companies to pay attention to and promptly to respond to reports of security vulnerabilities. That’s a key takeaway from the Commission’s recent settlement with ASUSTek (“ASUS”). In its complaint against the Taiwanese router manufacturer, the FTC alleged that ASUS…
MY: Personal health data theft scary
From a letter to the editor of by S.M. Mohamed Idris of The Consumers’ Association of Penang (CAP) in Malaysia: [CAP] is distressed by the recent news that a group of hackers had hacked into the systems of both government and private hospitals and stolen the personal health data of tens of thousands of individuals – data…