HHS OCR’s October newsletter begins: Every October, in recognition of National Cybersecurity Awareness Month, the federal government and its partners work to educate stakeholders on cybersecurity awareness and how best to protect the privacy and security of confidential data. Within the health care industry, the HIPAA Security Rule1 applies to covered entities2 and their business associates3 (“regulated entities”)…
Category: HIPAA
Medical billing service in Florida one of the latest victims of ransomware attacks
Add NCG Medical to business associates who a ransomware attack has compromised. The medical billing service in Florida was added to the Hive ransomware group’s leak site on August 31, with Hive claiming that they encrypted NCG’s files on August 19. The 12-day gap between encryption and publicly revealing the attack is a relatively short…
OCR Settles Case Involving Decade-Long Improper Disposal of Protected Health Information
There is an enforcement update to an incident noted on this site in 2018. The incident that involved New England Dermatology P.C., d/b/a New England Dermatology and Laser Center (“NDELC”) was summarized by HHS in their resolution agreement and corrective action plan for this case: On May 11, 2021, NEDLC filed a breach notification report…
Transparency #FAIL: Why won’t Anthem/Elevance Health answer a simple question about breaches?
A DataBreaches opinion piece. You might think a giant insurer like Anthem, which has experienced at least several breaches over the years — including one of the most significant breaches ever — would understand the importance of transparency by now. Apparently not. On May 24, Anthem (now known as Elevance Health) posted a notice on…
Family Practice Center discloses a breach from October 2021
DataBreaches really and truly does not understand how entities can take so long to investigate some breaches before disclosing them. If HHS feels that seven months from the first detection of an attack to notification is reasonable or acceptable, then let it change the regulations. If it is not acceptable and HHS wants entities to…
Associated Eye Care Partners, LLC discloses vendor breach. Can you guess which vendor?
One of the breach notices that showed up in routine searches this morning was from Associated Eye Care Partners, LLC (“AEC”). The first sentence of the notification letter was: We are contacting you to inform you of a data incident experienced by a third-party vendor for Associated Eye Care Partners, LLC (“AEC”). My mind…