The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announces its eleventh settlement of an enforcement action in its HIPAA Right of Access Initiative. OCR announced this initiative as an enforcement priority in 2019 to support individuals’ right to timely access to their health records at a reasonable…
Category: U.S.
Breach Lawsuit Spotlights Complex Vendor Issues
Marianne Kolbasuk McGee reports on a lawsuit that stems from a breach first reported on this site in March, 2019. She reports: A medical device maker has sued an IT vendor in the wake of an email server migration mishap that exposed the health data of more than 277,000 individuals. The case illustrates the complexities…
GA: JIA sends notices to those potentially affected by ransomware attack
Lauren McDonald reports: Jekyll Island Authority has sent notices to individuals whose data may have been compromised in a recent ransomware attack. The hackers could have had access to data affecting more than 7,000 individuals and companies who do business with the authority, according to a post on JIA’s website offering an update on the…
PROOF POINTS: What happens when private student information leaks
Drawing upon the incredible work of Doug Levin and his K-12 Cybersecurity Resource Center, Jill Barshay of The Hechinger Report highlights some of Doug’s findings — findings the GAO relied heavily upon in their recent report. How you tabulate breaches can make a huge difference in the public’s — and Congress’s — understanding of the…
Eight months after ransomware attack, Advanced Urgent Care of Florida Keys notifies patients
On March 14, DataBreaches.net reported that Advanced Urgent Care of the Florida Keys had been attacked, and patient data dumped. The data dump had been listed on a Russian-language forum known for data dumps, and the threat actor, then known as “m1x,” called the medical group “Malicious Defaulters” because they wouldn’t pay to prevent data…
Patients need to be notified sooner of ransomware dumps
In the past year, we have seen a significant increase in the use of dedicated leak sites where ransomware threat actors post the names of victims and dump some of their data to pressure them to pay demanded ransom. In the U.S., HIPAA gives covered entities no more than 60 days from discovery of a…