I’ve been encouraging (ok, nagging) HIPAA lawyer Jeff Drummond of Jackson Walker to write a post explaining what the 60-day notification provision really means in HIPAA, as I’ve always had a lot of questions about it, such as: Does the 60-day clock start when the covered entity (CE) first discovers that they might have a…
Category: Of Note
HHS OCR: Henrico Sen. Dunnavant’s political letter to patients broke health privacy rules, but no sanctions needed
There’s a follow-up to an HHS OCR investigation that I had noted back in October, 2015. And since we don’t see many OCR investigations reported like this one, it’s worth noting. Politicians who are also HIPAA-covered entities, in particular, may wish to take note. Graham Moomaw reports: State Sen. Siobhan S. Dunnavant, a Henrico County…
The MongoDB attacks: 93 terabytes of data wiped out
The other night on Twitter, after I and others communicated concern as the number of attacks on misconfigured MongoDB installations rose to 27,000 in a relatively short period, @Cyber_War_News and I had a respectful disagreement about the seriousness of the situation: still shocked that yall shocked and fussing about the mongodb ransom spike. — CWN (@Cyber_War_News) January…
First HIPAA enforcement action for lack of timely breach notification settles for $475,000
OCR has announced a settlement involving a breach that I never even reported on this site at the time and that doesn’t appear to have been in the news at the time. A quick look at HHS’s “Wall of Shame” shows two entries for the incident at issue: one entry says it was reported on…
Don’t pay the MongoDB ransom until you check to see if it’s a scam
For the past week, a number of us have been watching the explosive growth of attacks on misconfigured MongoDB installations. Victor Gevers of GDI Foundation and Niall Merrigan, a Norwegian developer, have been providing yeoman service investigating the problem, making notifications, and keeping us all apprised of their findings through their Twitter accounts. It all…
FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras
The Federal Trade Commission filed a complaint against Taiwan-based computer networking equipment manufacturer D-Link Corporation and its U.S. subsidiary, alleging that inadequate security measures taken by the company left its wireless routers and Internet cameras vulnerable to hackers and put U.S. consumers’ privacy at risk. In a complaint filed in the Northern District of California,…