Navigant recently published the latest update of its comprehensive Information Security and Data Breach Report, which adds yet another analytic view of the data breach picture. And the view is not a pretty one. You can get a copy of the report here. Some of the “highlights”: Healthcare entities again accounted for the largest percentage… Continue Reading
Category Archives: Data Breach
Subscribe to Data Breach RSS FeedSymantec: Malicious Cyber Attacks Increased by 81 Percent in 2011 and Data Breaches Up
Posted in Data Breach, Data Breach Notification, Data Compliance & Security, Identity Theft, SecuritySymantec has released its annual Internet Security Threat Report, and the numbers are astounding. According to the report, malicious attacks on networks skyrocketed by 81 percent in 2011. The report also highlights that advanced persistent threats, known as APT attacks, are spreading to organizations of all sizes, with the number of daily APT attacks increasing… Continue Reading
Getting ready to forward that spreadsheet to your personal email account? Think twice…..then think again…
Posted in Data Breach, HIPAA/HITECH, Identity Theft, SecurityAn employee — former employee — of the South Carolina Department of Health and Human Services found out the hard way after transferring the information of more than 228,000 Medicaid beneficiaries to his personal email account. The data included Medicare numbers (which include Social Security numbers as part of the identifier) linked to the beneficiaries… Continue Reading
Massachusetts Attorney General Data Breach Investigation Results in $15,000 Settlement with Property Management Firm
Posted in 201 CMR 17.00, Data Breach, Data Breach Notification, Data Compliance & Security, Privacy RegulationWritten by Cynthia J. Larose and Adam Veness Last October, a Maloney Properties, Inc. (“MPI”) company laptop was stolen containing unencrypted personal information, including social security numbers, for over 600 Massachusetts residents. Shortly after the incident, MPI sent letters to customers alerting them of the incident and related data breach. As a result of that… Continue Reading
Data Security Breach Alert: 1.5 Million Credit Card Customers Affected — UPDATE
Posted in Data Breach, Data Breach Notification, SecurityUPDATE: Initial reports of numbers of compromised records in data security breaches are often underestimated. Such appears to be the case in the Global Payments, Inc. incident that we wrote about last month. Initial reports stated that about 1.5 million credit and debit cards were compromised, but it is now believed that the number is… Continue Reading
The cost of HIPAA non-compliance – $17 million – UPDATE
Posted in Data Breach, Data Breach Notification, Data Compliance & Security, HIPAA/HITECHWritten by Kevin McGinty If it wasn’t clear before, a recent settlement of HIPAA claims brought by the Department of Health and Human Services against BlueCross BlueShield of Tennessee (“BCBST”) underscores the high regulatory cost of non-compliance with privacy requirements. HHS announced on March 13, 2012 that BCBST has agreed to pay $1.5 million… Continue Reading
New Year’s Resolutions – Privacy & Security
Posted in 201 CMR 17.00, Data Breach, Data Compliance & Security, HIPAA/HITECH, Identity Theft, Privacy Regulation, Secure Traveling, SecuritySince it’s traditionally the time for new beginnings and resolutions to clear away old habits, we’d like to pass on some tips for improving privacy and security in your operations — and in your own life — in 2012. 1. Be sure to secure. Many data breaches occur by leaving sensitive information lying around the… Continue Reading
HIPAA Audits Begin; Huge Medical Data Theft from California Provider
Posted in Data Breach, Data Breach Notification, HIPAA/HITECHOur sister blog, Health Law & Policy Matters, includes a detailed discussion (warning?) relating to the commencement of HIPAA audits by the Office of Civil Rights. That post can be found here, and it and the embedded links should be required reading for anyone involved with protected health information. Yesterday, we learned of a major… Continue Reading
Monday Morning Privacy 101
Posted in Data Breach, Data Breach Notification, HIPAA/HITECH, UncategorizedCan you identify the major problems lurking in this one short paragraph? We’ve given you some help. The UCLA Health System has notified more than 16,000 patients of the theft of their PHI during a home invasion of a former employee. The PHI was contained on an external computer hard drive and although the information… Continue Reading
SEC Guidance to Public Companies: Evaluate and Disclose Cybersecurity Risks
Posted in Class Action Litigation, Data Breach, Data Compliance & Security, Privacy LitigationThe Securities and Exchange Commission (SEC) has issued guidance to public companies with respect to disclosure relating to cybersecurity and data breach risks. This release is from the Commission’s Division of Corporation Finance and is not a rule or regulation — but it is clear that public companies that ignore the advice in the Disclosure… Continue Reading
Update on Patient Information Breaches
Posted in Class Action Litigation, Data Breach, Data Breach Notification, HIPAA/HITECHWritten by Dianne Bourque Nemours Children’s Health System has reported the loss of three, unencrypted computer backup takes containing patient billing and employee payroll data. The tapes had been stored in a locked cabinet, and were reported missing on September 8th. It is believed that they may have been removed in early August during a… Continue Reading
State Data Breach Notification Laws – The Mintz Matrix
Posted in Data Breach, Data Breach Notification, Data Compliance & SecurityWe update the myriad of state data breach notification laws on a quarterly basis in what we fondly call the Mintz Data Breach Matrix. Hot off the presses is the version current as of October 1, 2011. All the usual disclaimers apply: in the event of a multi-state data breach, the matrix is not a… Continue Reading
Is “faster” public notice of a breach really “better”?
Posted in Data Breach, Data Breach NotificationPressure has been mounting on companies to “go public” with notice of large data breaches even quicker than they have been. In the forensics world, “faster” is not always “better” and can put inside investigations of such incidents at risk. Our friends at William Gallagher have posted an interesting analysis of the importance of post-breach… Continue Reading
Privacy Still on Congressional Radar Screen
Posted in Data Breach, Data Breach Notification, Data Compliance & Security, LegislationLawmakers, industry leaders and officials from the Federal Communications Commission, the Federal Trade Commission and the Department of Commerce generally expressed support last week for Federal legislation on Internet privacy and data security during a Senate Commerce Committee hearing. Senate Commerce Committee Chairman Jay Rockefeller (D-WV), who introduced S. 913, the “Do-Not-Track Online Act of 2011,” which… Continue Reading
Sony Breach Press Follow-up
Posted in Data BreachThere have been hundreds of articles written in the past week on the Sony Playstation Network breaches. Cynthia Larose, chair of Mintz Levin’s Privacy and Data Security practice, has been quoted in several articles over the weekend, including The Wall Street Journal [registration may be required], Reuters, and The Chicago Tribune. In The Wall Street Journal, Larose said,… Continue Reading
Let The Litigation Begin – Sony PlayStation Data Breach Class Action Filed in Boston
Posted in Data BreachWritten by Kevin McGinty With the inevitability of death and taxes, data breaches spawn class action lawsuits. The massive Sony PlayStation Network data breach has now resulted in the filing of a class action in federal court in Massachusetts captioned Thompson v. Sony Computer Entertainment. The named plaintiff asserts her claims on behalf of a… Continue Reading
Into the Breach – Security Failures Can Cost You
Posted in 201 CMR 17.00, Data Breach, Data Compliance & SecurityOnce again, we have evidence that failures to implement the most basic of data security measures can cost real money. The Massachusetts Attorney General’s office announced a consent order that fines a Boston restaurant group $110,000 and imposes a set of compliance measures that will also carry a price tag. Despite many headlines trumpeting the “first enforcement action,” this action… Continue Reading
Massachusetts General Hospital settles 2009 breach with Office of Civil Rights
Posted in Data Breach, HIPAA/HITECHThe cost of data breaches keeps on rising. Add another million to this week’s HIPAA charges. Just released this afternoon – the Office of Civil Rights announced that it has reached a settlement with Massachusetts General Hospital relating to a 2009 loss of medical records when a billing manager who was carrying the records accidentally… Continue Reading
It’s Tax Time — Use Caution with those W-2 Forms
Posted in Data Breach, Data Breach Notification, Data Compliance & SecurityWe’ve had several questions lately regarding “mixups” with mailings of W-2 forms, and whether certain situations are really “data breaches.” Some Attorneys General are taking the position that the employer is responsible for providing notice to affected individuals (employees and former employees) and providing the required AG notice letters in the event that tax forms containing personal information… Continue Reading
Data Breach at NYC “Hop-on, Hop-off” Tour Company — 110,000 credit card numbers stolen
Posted in 201 CMR 17.00, Data Breach, Data Breach Notification, Data Compliance & SecuritySince March 1, 2010, privacy professionals have been waiting for a data breach that could bring an enforcement action under 201 CMR 17.00, the Massachusetts privacy regulations. I just spoke with Paul Roberts, editor of threatpost.com, a blog that posted an entry yesterday regarding a breach that could do just that. Twin America LLC, the parent company of… Continue Reading
Remember the old quote about “prior preparation?”
Posted in Data Breach, Data Breach Notification, Data Compliance & SecurityMintz Levin has prepared a State Data Breach Laws matrix to help assess obligations under state data breach notification laws in the event of a data security incident.
WellPoint Sued by Indiana AG for $300K – UPDATE
Posted in Data Breach, Data Breach Notification, HIPAA/HITECH(This post is updated to include links to the Indiana Attorney General’s press release and a copy of the complaint) Back on July 1, we blogged in this space about a very large data breach experienced by health insurer WellPoint. According to WellPoint, over 470,000 individual insurance customers may have been affected by a breach that… Continue Reading
Encryption — Not Always the “Silver Bullet”
Posted in Data BreachRecently, a news bulletin in Health Data Management highlighted the point that many security experts are trying to make these days: Encryption is not always a “safe harbor.” Ranbow Hospice and Palliative Care in Park Ridge, Illinois had an encrypted laptop stolen, but nonetheless publicly reported the breach to affected patients, local media, and the Department of Health… Continue Reading
Patient privacy group welcomes HHS withdrawal of HITECH Act breach notification rule
Posted in Data BreachThe Patient Privacy Rights Foundation welcomed last week’s announcement by the Department of Health and Human Services (HHS) that it was withdrawing the health data breach notification rule. The Foundation called the withdrawal a “huge step in the right direction” and reiterated its disappointment with the ‘harm threshold’ provision, which allows health care providers to… Continue Reading
