NYC Health & Hospitals Corp. posted a notice this week (reproduced below) that suggests that a rogue employee may have been selling PHI to law firms or clinics that specialize in motor vehicle accident patients. Of note, this notice does not specify any one hospital where the employee worked. Did the employee have access to…
Category: Of Note
Ransomware attack hits major US data center provider
Catalin Cimpanu reports: CyrusOne, one of the biggest data center providers in the US, has suffered a ransomware attack, ZDNet has learned. CyrusOne is currently working with law enforcement and forensics firms to investigate the attack and is also helping customers restore lost data from backups. Read more on ZDNet.
Merck cyberattack’s $1.3 billion question: Was it an act of war?
Riley Griffin of Bloomberg reports: By the time Deb Dellapena arrived for work at Merck & Co.’s 90-acre campus north of Philadelphia, there was a handwritten sign on the door: The computers are down. It was worse than it seemed. Some employees who were already at their desks at Merck offices across the U.S. were…
Facebook must face data breach class action on security, but not damages: judge
Jonathan Stempel reports: A federal judge said up to 29 million Facebook Inc (FB.O) users whose personal information was stolen in a September 2018 data breach cannot sue as a group for damages, but can seek better security at the social media company after a series of privacy lapses. Read more on Reuters.
OCR Secures $2.175 Million HIPAA Settlement after Sentara Hospitals Failed to Properly Notify HHS of a Breach of Unsecured Protected Health Information
OCR has announced another settlement. This one involves Sentara Hospitals, and it’s a somewhat surprising one in the sense that Sentara not only seems to have gotten the fundamentals of HIPAA and notification compliance wrong, but then they seem to have insisted in their wrongheaded ways even after HHS told them what their obligations were. …
District Court (NY) Says It’s Powerless to Approve Class Settlement Arising Out of Data Breach Due to Lack of Art. III Cognizable Injury
Scott J. Hyman of Severson & Werson PC writes: In Steven v. Carlos Lopez & Assocs., No. 18-CV-6500 (JMF), 2019 U.S. Dist. LEXIS 203621 (S.D.N.Y. Nov. 22, 2019), Judge Furman declined to approve settlement of a data breach class due to the absence of Art. III standing. From the opinion: In June 2018, an employee…