Lawsuit Filed Against Facebook and Cancer Sites for Alleged HIPAA Violation
A lawsuit has been filed in Federal Court in San Jose, California by cancer patients who allege they have had their privacy violated after visiting the websites of cancer institutes. The plaintiffs claim that the websites of some cancer institutes contain secret code that captures data and passes the information to Facebook for marketing purposes. After visiting the websites, the plaintiffs claim they have been served advertisements relating to very specific types of cancer. It is alleged that in order for those advertisements to be served, Facebook must have been provided with site search data and the specific webpages that were visited. Lead plaintiff in the case, Winston Smith, claims to have visited cancer.org, a website of the American Cancer Society. Smith conducted searches on the site for information on lung cancer and claims those searches, and information about the webpages he visited, were provided to Facebook which used the information to serve him targeted adverts. Smith claims that Facebook’s privacy policy does not specifically mention that highly sensitive medical...
Healthcare Organizations Prioritizing Compliance Over Data Breach Prevention
A recent survey conducted by 451 Research on behalf of security firm Vormetric indicates 96% of IT managers expect their organizations to be attacked by cybercriminals. The survey was conducted on 1,100 IT managers including over 100 working in healthcare organizations. One in five organizations have experienced a data breach in the past 12 months, while 63% of respondents said they have experienced a data breach in the past. Even though the threat of a data breach is considerable, a majority of healthcare IT managers say their organizations are prioritizing compliance over data breach prevention. 61% of healthcare IT managers said compliance was their main priority, compared to just 40% that said it was data breach prevention. Other priorities were preventing reputation and brand damage and implementing security best practices, rated as the main priorities by 49% and 46% of respondents respectively. More than Two Thirds of Respondents Said Achieving Compliance Was an Effective Way of Protecting Data 69% of healthcare IT managers said achieving compliance with EPCS, FDA CFR...
California Ransomware Bill Passed by State Senate Committee
Californian Senator Bob Hertzberg introduced a new bill (Senate Bill 1137) in February which proposes an amendment to the penal code in California to make it a crime to knowingly install ransomware on a computer. The bill has now been passed by the senate’s Committee on Public Safety, taking it a step closer to being introduced into the state legislature. The bill must now go before the state Senate Appropriations Committee; after which it will be considered by both houses. Currently, state law in California covers crimes relating to computer services including “knowingly introducing a computer contaminant,” as well as extortion, the latter being defined as “obtaining the property of another, with his or her consent, induced by a wrongful use of force or fear.” Under existing laws, extortion is punishable with a prison term of 2,3, or 4 years. Ransomware is covered under current laws, although Senator Hertzberg believed an update was necessary given the extent to which ransomware is now being used to extort money from businesses. FBI figures suggest that in the first 3 months of...
Federal Court Rules Data Breach Covered by CGL Insurance Policy
A federal appeals court ruled this week that Travelers Insurance has a duty to defend Portal Healthcare Solutions in a class-action lawsuit filed by patients whose medical records were exposed on the Internet in 2013. The lawsuit was filed following the exposure of 2,300 patients’ medical records in 2012/2013. The records were stored on computer server that could be accessed over the Internet, and the data of some patients had been indexed by the search engines. Two patients filed a class-action lawsuit after discovering their data could be accessed via Google. The patients claimed they both searched for their own names on Google and the first links that appeared were for their medical records. Both were patients of Glen Falls Hospital in New York. The lawsuit was filed against Portal Healthcare Solutions, which was contracted by Glen Falls Hospital to store patients’ medical records. The server on which doctors’ notes were stored should have been secured; however, a configuration error resulted in data being left unprotected. The files were accessible due to a misconfigured...
1400 Healthcare Organizations Notified of American College of Cardiology Privacy Breach
1,400 organizations have been notified that patient data supplied to the American College of Cardiology (ACC) via the national cardiovascular data registry has been inadvertently disclosed to a third party vendor. While the total number of affected patients has not yet been disclosed, almost 100,000 individuals are understood to have been affected. Participating healthcare organizations enter patient data into the ACC-maintained registry and use the database to measure and improve the cardiovascular care provided to patients. The ACC employed a software development company to redesign the registry and supplied 250 tables of fabricated patient data to populate the database for testing purposes. However, one of the tables supplied to the vendor contained real patient data including names, dates of birth, internal patient ID numbers, and Social Security Numbers. The data were supplied to the vendor at some point between 2009 and 2010, although the improper disclosure was not discovered until December 2015. The ACC notified all affected institutions in February and supplied them with...



